To un-publish expired/expiring/unwanted certificates from TRUSTED_ROOTS VECS Store:
cd /tmp
chmod +x clean_trusted_roots.sh
./clean_trusted_roots.sh
Sample output
root@vc [ ~ ]# ./clean_trusted_roots.sh
This Script validates and allows to clear Trusted Roots Certificate Stores from SSO Domain.
Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable. This may happen if the replication between PSC's is not working.
Be absolutely certain that the Certificate you are removing is the correct Certificate to remove.
Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.
Mandatory precaution:
Ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off.
Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.
#######
Please enter the administrator@vsphere. local password:
Note: You may receive an error when you try to run the script:
bash: ./clean_trusted_roots.sh: /bin/bash^M: bad interpreter: No such file or directory
This error is caused by DOS carriage returns added to the script when copying from a Windows-based text editor. To resolve this problem, run the following command and rerun the script:
sed -i -e 's/\r$//' clean_trusted_roots.sh
Removable not in use Certificates in SSO domain are:
There are no removable Certificate CN ID's from Trusted Roots Store.
There was an error reading the Certificates, please make sure your entered correct SSO admin password and all services are running in all VCSA's in SSO and check replication between PSC's
If credentials are correct the script will execute, and you should see the below output
Sample output
Removable not in use Certificates in SSO domain are:
154AC6461E82344D1A03E5B72FDA9626F5C03912
CN ID's file is not empty, continuing ...
Do you want to proceed removing the Removable CN ID's (Y|y|N|n)yCertificate retrieved successfully
current CN ID's in use after clean up are:
Number of certificates: 2
#1:
CN( id):
Subject DN:
CRL present:
#2:
CN(id):
Subject DN:
CRL present:
242B83C799A98461844002432D0AE9F1EE87C6AF
CN=vc2.example.com, DC=vsphere, DC=local, C=US, ST=California, 0=vc2.example.com, OU=VMware Engineering
yes
AF681738D9368F787D28922D7402CC917FC049FA
CN=vc1.example.com, DC=vsphere, DC=local, C=US, ST=California, 0=vc1.example.com, OU=VMware Engineering
yes
service-control --stop --all && service-control --start--all
Manual method to perform these steps are defined in follow KB Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
VMware Skyline Health Diagnostics for vSphere - FAQ
Refer to KB CertificateStatusAlarm - There are certificates that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server for more information on removing expired certificates from other certificate stores.
Impact/Risks: