PSC UI shows expired certificates in active certificates tab
Article ID: 310948
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Platform Service Controller UI interface sees expired certificates as well as active certificates.
Environment
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.5.x
Cause
PSC UI lists all end entity certificates issued by VMCA and lists all certificates (valid and expired) but not revoked.
Resolution
This is a known behavior and the cleanup needs to be performed manually. The issue is not seen with vSphere 6.7 and later as PSC client is deprecated.
Workaround:
To workaround this issue, manually revoke certificates using certool.
Please use the steps below to remove expired certificates.
Note: It is recommended to take a snapshot of all Platform Service Controllers per vCenter domain before proceeding with steps below.
Workaround:
To workaround this issue, manually revoke certificates using certool.
Please use the steps below to remove expired certificates.
Note: It is recommended to take a snapshot of all Platform Service Controllers per vCenter domain before proceeding with steps below.
- Open a putty session to PSC Appliance and login.
- Run the command below to export all certificates to certs.txt.
/usr/lib/vmware-vmca/bin/certool --enumcert --filter active list > /tmp/certs.txt
- Search for expired certificates with dates. Grep with "not after" keyword will fetch expiration dates of all certificates and the ones that expired can be isolated from this list. Make a crt file with all expired certificates.
For example: less /tmp/certs.txt | grep -i "not after"
Note: If there are five expired certificates create a total of 5 crt files with each to consist of one expired certificate.
For example :
- We have created a certificate file by the name expire_1.crt, we will use revoke command to remove expired certificates.
/usr/lib/vmware-vmca/bin/certool --revokecert --cert=expire_1.crt
- The same action will be performed on all the expired certificate files that need to be revoked.
- Once done with revoking stop and start the services back running the command,
service-control --stop --all && service-control --start --all
Additional Information
VMware Skyline Health Diagnostics for vSphere - FAQ
Impact/Risks:
PSC UI Active certificate tab listing expired certificates will not have any impact on vCenter services.
Attachments
Feedback
Yes
No
Powered by
