• You see a critical alarm in the vSphere Client or vSphere Web Client for a Certificate expiry.
• A CA Certificate that is in use in the environment is expiring or expired.
• You have already renewed the certificates and have a new, valid CA Certificate in place. Remove expired old SSL certificate.
• Attempts to remove the expired CA Certificate using the Web Client or other methods fail, and the Certificate is copied back to VMware Endpoint Certificate Store (VECS) after deletion.
• Remove/delete trusted root certificate.

VMware vCenter Server Appliance 6.5.x

VMware vCenter Server Appliance 6.7.x 

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

1. Download the attached removeroot.sh script attached to this article
2. Upload to attached script to the VCSA with embedded PSC or external PSC in the /tmp folder, or copy its contents to a text file on the appliance using vi

3. cd to /tmp folder
4. Run chmod +x removeroot.sh to make the file executable
5. Run ./removeroot.sh

6. Enter the number of the certificate you want to remove from the list above, e.g. 2, then enter the administrator password for your SSO domain

7. Restart all services on the PSCs and on the vCenter Servers and ensure that all services start and respond normally and that you can log in and manage the environment.

# service-control --stop --all

# service-control --start --all

• Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS) (2146011)
• VMware Skyline Health Diagnostics for vSphere - FAQ
• Refer to KB CertificateStatusAlarm - There are certificates that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server for more information on removing expired certificates from other certificate stores.

• Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable.
• Be absolutely certain that the Certificate you are removing is the correct Certificate to remove.
• Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.

• Ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off. 
• Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.