You are here: Home / VMware Cloud Foundation / TLS Chain of Trust when using SSL Inspection with VCF Download Tool (VCFDT)

SSL traffic inspection is commonly deployed by Enterprises to ensure that they have visibility into encrypted connections, enabling their organization to reduce security risks and enforce acceptable use policies.

When using the VCF Download Tool (VCFDT), the connection must first terminate at your SSL inspection system and you may come across the following error: Unable to connect to the Depot Server

Taking a closer look at the VCFDT log file, we can quickly identify the problem which is due to validating the certificate chain from the SSL inspection system as you can see from this snippet:

Error checking certificate chain CN=depot.vcf.lab, OU=R&D, O=WilliamLam, L=Palo Alto, ST=CA, C=US, SerialNumber=91513477326140466830150858710326987151105506009,CN=WilliamLam-RootCA, OU=R&D, O=WilliamLam, L=Palo Alto, ST=CA, C=US, SerialNumber=659677038159141611554120742063414354480349425756 for validity. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To resolve this problem, we need to add the Root CA signing certificate into Java keystore that VCFDT can use to establish the chain of trust.

Step 1 - Download the Root CA certificate from your SSL inspection system that will be added the Java keystore used by VCFDT to establish the chain of trust.

Step 2 - Identify the path to the Java keystore that is used by VCFDT. By default, if you are running VCFDT on a Linux or Windows system, the local Java keystore located within the VCFDT directory will be used:

• Linux: jre/lin64/lib/security/cacerts
• Windows: jre/win32/lib/security/cacerts

Note: The default Java keystore password is changeit

If you happen to be running VCFDT on Apple macOS or even using a custom Java runtime, then you can look at the vdt.log file and look for the following entry:

Creating DynamicTrustManager using trust store /usr/local/Cellar/openjdk@21/21.0.9/libexec/openjdk.jdk/Contents/Home/lib/security/cacerts

Step 3 - Import the Root CA certificate to the Java keystore using either the Java keytool that is included as part of VCFDT or one that is installed as part of your custom Java runtime.

• Linux: jre/lin64/bin/keytool

• jre/lin64/bin/keytool -importcert -file rootCA.pem -keystore jre/lin64/lib/security/cacerts –storepass changeit -alias depot.vcf.lab -noprompt

• Windows: jre/win32/bin/keytool

• jre/win3264/bin/keytool -importcert -file rootCA.pem -keystore jre/win32/lib/security/cacerts –storepass changeit -alias depot.vcf.lab -noprompt

Since I am using a custom Java runtime on macOS, the command will look like following:

keytool -importcert -file rootCA.pem -keystore /usr/local/Cellar/openjdk@21/21.0.9/libexec/openjdk.jdk/Contents/Home/lib/security/cacerts -alias depot.vcf.lab -noprompt

You will be prompted to accept the certificate and after that, you can run the vcf-download-tool and you should no longer run into the chain of trust issue.

Additional Tip

If you have already setup your own VCF Offline Depot and you would like to use VCFDT to connect to local depot for whatever reason, you can edit conf/application-prodv2.properties within the VCFDT directory and update the following properties with your desired values:

• lcm.depot.adapter.port=8443
• lcm.depot.adapter.host=depot.vcf.lab

If you would like to use non-HTTP, you can add following to the configuration file:

• lcm.depot.adapter.httpsEnabled=false