Nutanix PRISM SSL certificate (PoSH script)
6 min read
Based on my earlier script to import theSSL certificate for vCenter I decided to do the same for the Nutanix PRISM interface, the previous script could be easily reused with some small modifications as I had to add the port number to the URL where the certificate needs to be fetched from.
As an FYI: You can use your own certificate (either self signed or from an CA), as this is my lab environment I’m just using the default self signed certificate with the FQDN ‘prism.nutanix.local’ so I’ve tested this script using that exact FQDN.Best practise would be to change the certificate using the guidance of our Knowledge Base article: Installing an SSL Certificate (Login required).
As I was configuring the connection to my Nutanix cluster (again)I didn’t want to follow this procedure multiple times so I wrote a small PoSH script to walk you through these steps:
1) Ask you for the PRISMIP address
2) Ask you for the PRISMFQDN, the registered name in the default cert is ‘prism.nutanix.local’
3) Will check if the PRISMFQDN is reachable
4) If it is it will proceed with step 6
5) If it’s not reachable it will put the PRISM ClusterIP address and PRISMFQDN in your local HOSTS file
6) It will get the SSL Certificate from PRISM and import it into the “Trusted People” Computer store.
You can get your copy of the script here:
# kees@nutanix.com
# @kbaggerman on Twitter
# https://blog.myvirtualvision.com
# Created on Januari 20, 2015
#region script template
Param(
# vCenter IP Address
[Parameter(Mandatory = $true)]
[Alias('PRISM Cluster IP')] [string] $vcIP,
# vCenter FQDN
[Parameter(Mandatory = $true)]
[Alias('PRISM Cluster Name')] [string] $vcHostName
)
#endregion script template
#region script functions
function Get-WebsiteCertificate {
[CmdletBinding()]
param (
[Parameter(Mandatory=$false)] [System.Uri]
$Uri,
[Parameter()] [System.IO.FileInfo]
$OutputFile,
[Parameter()] [Switch]
$UseSystemProxy,
[Parameter()] [Switch]
$UseDefaultCredentials,
[Parameter()] [Switch]
$TrustAllCertificates
)
try {
$request = [System.Net.WebRequest]::Create($Uri)
if ($UseSystemProxy) {
$request.Proxy = [System.Net.WebRequest]::DefaultWebProxy
}
if ($UseSystemProxy -and $UseDefaultCredentials) {
$request.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
}
if ($TrustAllCertificates) {
# Create a compilation environment
$Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
$Compiler=$Provider.CreateCompiler()
$Params=New-Object System.CodeDom.Compiler.CompilerParameters
$Params.GenerateExecutable=$False
$Params.GenerateInMemory=$True
$Params.IncludeDebugInformation=$False
$Params.ReferencedAssemblies.Add("System.DLL") > $null
$TASource=@'
namespace Local.ToolkitExtensions.Net.CertificatePolicy {
public class TrustAll : System.Net.ICertificatePolicy {
public TrustAll() {
}
public bool CheckValidationResult(System.Net.ServicePoint sp,
System.Security.Cryptography.X509Certificates.X509Certificate cert,
System.Net.WebRequest req, int problem) {
return true;
}
}
}
'@
$TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
$TAAssembly=$TAResults.CompiledAssembly
## We now create an instance of the TrustAll and attach it to the ServicePointManager
$TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
[System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
}
$response = $request.GetResponse()
$servicePoint = $request.ServicePoint
$certificate = $servicePoint.Certificate
if ($OutputFile) {
$certBytes = $certificate.Export(
[System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
)
[System.IO.File]::WriteAllBytes( $OutputFile, $certBytes )
$OutputFile.Refresh()
return $OutputFile
} else {
return $certificate
}
} catch {
Write-Error "Failed to get website certificate. The error was '$_'."
return $null
}
<#
.SYNOPSIS
Retrieves the certificate used by a website.
.DESCRIPTION
Retrieves the certificate used by a website. Returns either an object or file.
.PARAMETER Uri
The URL of the website. This should start with https.
.PARAMETER OutputFile
Specifies what file to save the certificate as.
.PARAMETER UseSystemProxy
Whether or not to use the system proxy settings.
.PARAMETER UseDefaultCredentials
Whether or not to use the system logon credentials for the proxy.
.PARAMETER TrustAllCertificates
Ignore certificate errors for certificates that are expired, have a mismatched common name or are self signed.
.EXAMPLE
PS C:\> Get-WebsiteCertificate "https://www.gmail.com" -UseSystemProxy -UseDefaultCredentials -TrustAllCertificates -OutputFile C:\gmail.cer
.INPUTS
Does not accept pipeline input.
.OUTPUTS
System.Security.Cryptography.X509Certificates.X509Certificate, System.IO.FileInfo
#>
}
function Import-Certificate {
<#
.SYNOPSIS
Imports certificate in specified certificate store.
.DESCRIPTION
Imports certificate in specified certificate store.
.PARAMETER CertFile
The certificate file to be imported.
.PARAMETER StoreNames
The certificate store(s) in which the certificate should be imported.
.PARAMETER LocalMachine
Using the local machine certificate store to import the certificate
.PARAMETER CurrentUser
Using the current user certificate store to import the certificate
.PARAMETER CertPassword
The password which may be used to protect the certificate file
.EXAMPLE
PS C:\> Import-Certificate C:\Temp\myCert.cer
Imports certificate file myCert.cer into the current users personal store
.EXAMPLE
PS C:\> Import-Certificate -CertFile C:\Temp\myCert.cer -StoreNames my
Imports certificate file myCert.cer into the current users personal store
.EXAMPLE
PS C:\> Import-Certificate -Cert $certificate -StoreNames my -StoreType LocalMachine
Imports the certificate stored in $certificate into the local machines personal store
.EXAMPLE
PS C:\> Import-Certificate -Cert $certificate -SN my -ST Machine
Imports the certificate stored in $certificate into the local machines personal store using alias names
.EXAMPLE
PS C:\> ls cert:\currentUser\TrustedPublisher | Import-Certificate -ST Machine -SN TrustedPublisher
Copies the certificates found in current users TrustedPublishers store to local machines TrustedPublisher using alias
.INPUTS
System.String|System.Security.Cryptography.X509Certificates.X509Certificate2, System.String, System.String
.OUTPUTS
NA
.NOTES
NAME: Import-Certificate
AUTHOR: Patrick Sczepanksi (Original anti121)
VERSION: 20110502
#Requires -Version 2.0
.LINK
http://poshcode.org/2643
http://poshcode.org/1937 (Link to original script)
#>
[CmdletBinding()]
param
(
[Parameter(ValueFromPipeline=$true,Mandatory=$true, Position=0, ParameterSetName="CertFile")]
[System.IO.FileInfo]
$CertFile,
[Parameter(ValueFromPipeline=$true,Mandatory=$true, Position=0, ParameterSetName="Cert")]
[System.Security.Cryptography.X509Certificates.X509Certificate2]
$Cert,
[Parameter(Position=1)]
[Alias("SN")]
[string[]] $StoreNames = "My",
[Parameter(Position=2)]
[Alias("Type","ST")]
[ValidateSet("LocalMachine","Machine","CurrentUser","User")]
[string]$StoreType = "CurrentUser",
[Parameter(Position=3)]
[Alias("Password","PW")]
[string] $CertPassword
)
begin
{
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Security")
}
process
{
switch ($pscmdlet.ParameterSetName) {
"CertFile" {
try {
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $($CertFile.FullName),$CertPassword
}
catch {
Write-Error ("Error reading '$CertFile': $_ .") -ErrorAction:Continue
}
}
"Cert" {
}
default {
Write-Error "Missing parameter:`nYou need to specify either a certificate or a certificate file name."
}
}
switch -regex ($storeType) {
"Machine$" { $StoreScope = "LocalMachine" }
"User$" { $StoreScope = "CurrentUser" }
}
if ( $Cert ) {
$StoreNames | ForEach-Object {
$StoreName = $_
Write-Verbose " [Import-Certificate] :: $($Cert.Subject) ($($Cert.Thumbprint))"
Write-Verbose " [Import-Certificate] :: Import into cert:\$StoreScope\$StoreName"
if (Test-Path "cert:\$StoreScope\$StoreName") {
try
{
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $StoreName, $StoreScope
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($Cert)
if ( $CertFile ) {
Write-Verbose " [Import-Certificate] :: Successfully added '$CertFile' to 'cert:\$StoreScope\$StoreName'."
} else {
Write-Verbose " [Import-Certificate] :: Successfully added '$($Cert.Subject) ($($Cert.Thumbprint))' to 'cert:\$StoreScope\$StoreName'."
}
}
catch
{
Write-Error ("Error adding '$($Cert.Subject) ($($Cert.Thumbprint))' to 'cert:\$StoreScope\$StoreName': $_ .") -ErrorAction:Continue
}
if ( $store ) {
$store.Close()
}
}
else {
Write-Warning "Certificate store '$StoreName' does not exist. Skipping..."
}
}
} else {
Write-Warning "No certificates found."
}
}
end {
Write-Host "Finished importing certificates."
}
}
#endregion script functions
#region script checks
# Check DNS and skip hosts file modification if the name exists in DNS
if(!(Test-Connection -Cn $vcHostNAme -BufferSize 16 -Count 1 -ea 0 -quiet))
{
Write-Host "Problem connecting to $vcHostNAme"
Write-Host "Flushing DNS"
ipconfig /flushdns | out-null
Write-Host "Registering DNS"
ipconfig /registerdns | out-null
Write-Host "Re-pinging $vcHostNAme"
if(!(Test-Connection -Cn $vcHostNAme -BufferSize 16 -Count 1 -ea 0 -quiet))
{Write-Host "Problem still exists in connecting to $vcHostNAme, setting Hosts file"}
ac -Encoding UTF8 C:\Windows\system32\drivers\etc\hosts "$vcIP $vcHostName"
}
Write-Host "$vcHostNAme can be reached, proceeding with script"
#endregion script checks
#region Get the certificate and import it
#Import certificate into Trusted Peolpe Computer Cert Store
$SecSettings = "https://"
$SecvcHostName = $SecSettings+$vcHostName
Get-WebsiteCertificate $SecvcHostName local.cer -trust | Out-Null
Import-Certificate -certfile local.cer -StoreNames TrustedPeople -StoreType LocalMachine | Out-Null
Write-Host "The SSL Certificate has been installed"
#Cleaning up
Remove-Item local.cer
#endregion Get the Certificate and import it
The following two tabs change content below.
Kees Baggerman
Kees Baggerman is Senior Technical Director — Performance & Solutions Engineering R&D at Nutanix, where he leads a global team responsible for defining how enterprise applications are delivered on the Nutanix platform. A former Citrix Technology Professional and NVIDIA Enterprise Platform Advisor, he has spent 15+ years driving EUC strategy and technical direction across architecture, product, and customer success. He has been writing here since 2011 — sharing what he learns at the intersection of platform engineering and enterprise IT.
Latest posts by Kees Baggerman (see all)
- Your Cloud Desktop Is Running on Yesterday’s Silicon - May 21, 2026
- When the Orchard Ships Production Software: AI-Augmented Development in the Real World - May 17, 2026
- Nutanix Documentation Script v5.0: Visual Reports, Brand Templates, and Seven Embedded Diagrams - May 15, 2026
- Nutanix AHV and Citrix MCS: Adding a persistent disk via Powershell – v2 - November 19, 2019
- Recovering a Protection Domain snapshot to a VM - September 13, 2019
http://winplat.net/2017/08/08/install-certificate-on-nutanix-prism/