Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
search cancel

Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

book

Article ID: 326288

calendar_today

Updated On: 04-01-2025

Products

VMware vCenter Server

Issue/Introduction

  • There is a critical alarm in the vSphere Client for a certificate expiry
  • A CA certificate that is in use in the environment is expiring or expired
  • The certificates have already been renewed and have a new, valid CA certificate in place. Remove expired old SSL certificate.
  • Attempts to remove the expired CA certificate using the vSphere Client or other methods fail, and the certificate is copied back to VMware Endpoint Certificate Store (VECS) after deletion
  • Remove/delete trusted root certificate

Environment

VMware vCenter Server 6.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

Certificates are copied back to the VECS store because the CA certificate which is expiring is published to the VMware Directory Service (VMDIR).
When the certificate is removed from VECS, VMDIR adds the certificate back to VECS during a sync operation.
This is done in order to ensure the integrity of the TRUSTED_ROOTS Certificate store, as deletion of an incorrect certificate from this store could cause the environment to be irreparably damaged.

Resolution

To un-publish expired/expiring certificates from TRUSTED_ROOTS VECS Store:

  1. List the certificates using vecs-cli.
    • Windows vCenter Server path: C:\Program Files\VMware\vCenter Server\vmafdd
    • vCenter Server Appliance path: /usr/lib/vmware-vmafd/bin
    Windows:
    C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry list --store TRUSTED_ROOTS --text | more

    Appliance:
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less
  2. Find the certificate that needs to be removed and make a note of the Alias and the X509v3Subject Key Identifier.

    Example:
    Alias : 2b724e6dd2####################c3369e2e7f
    X509v3 Subject Key Identifier:
    ED:CF:46:E5:CA:A6:##:##:##:##:##:##:##:##:2C:08:53:10:F9:18
    Note: There could be several certificates to remove. Any expired and not in use certificates should be removed to avoid certificate related alarms.



  3. List the trusted certs published to the VMware Directory Service (administrator@vsphere.local password required). This command is in the same location as vecs-cli:
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert list

    Appliance:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
    This will output a list of certificates published to VMDIR.

    Example:
    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli.exe trustedcert list
    Enter password for administrator@vsphere.local:
    Number of certificates: 3

    #1:
    CN(id): EDCF46E5CAA6################2C085310F918
    Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc1, OU=VMware
    CRL present: yes

    #2:
    CN(id): 72B1C4C56A1A################A29B78531ED0
    Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc2, OU=VMware
    CRL present: yes

    #3:
    CN(id): 7AF0962806F5################DED4F853FF70
    Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc1, OU=VMware
    CRL present: yes


  4. Locate the certificate's CN (thumbprint) which matches the Key Identifier from Step 2 above. In this example, the certificate will be the first one in the list with the following CN:

    EDCF46E5CAA6################2C085310F918

  5. Using the ID located in Step 4, run the following command, adjusting appropriately for the environment:
    Windows:
    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert get --id EDCF46E5CAA6################2C085310F918 --login administrator@vsphere.local --password <PASSWORD> --outcert C:\temp\oldcert.cer

    Appliance:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id EDCF46E5CAA6################2C085310F918 --login administrator@vsphere.local --password <PASSWORD> --outcert /tmp/oldcert.cer
  6. Un-publish the CA certificate from VMDIR
    Windows:
    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert unpublish --cert C:\temp\oldcert.cer

    Appliance:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer
  7. Confirm that the Certificate was un-published:
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert list

    Appliance:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
  8. Delete the certificate from VECS utilizing the Alias located in Step 2:
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry delete --store TRUSTED_ROOTS --alias 2b724e6dd2####################c3369e2e7f

    Appliance:
    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias 2b724e6dd2####################c3369e2e7f
  9. Confirm that the certificate was deleted:
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry list --store TRUSTED_ROOTS --text | findstr Alias

    Appliance: 
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias
  10. Force a refresh of VECS. This will ensure updates are pushed to the other PSCs in the environment if there is more than one.
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli force-refresh

    Appliance: 
    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
  11. Confirm that the certificate is no longer present. The same command can be ran on all the PSCs to ensure the refresh done in Step 10 was successful.
    Windows: 
    C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry list --store TRUSTED_ROOTS --text | findstr Alias

    Appliance: 
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias
  12. Restart all services on the PSCs and vCenter Servers, ensuring that all services start and respond normally, and that login and management of the environment are functioning properly.

Additional Information

Note:

  • There might be certain situations were there are still older entries in TRUSTED_ROOTS that do not contain the certificate option "X509v3 Subject Key Identifier".
  • The best way to deal with this kind of scenario is to compare the CN(id) information of the other entries provided by dir-cli with the Subject Key Identifiers for those entries in TRUSTED_ROOTS which actually have them.
  • Once identified, compare the subject information for the remaining CN(id)s with the "Subject" option of the certificate in the VECS TRUSTED_ROOTS store to determine which one matches the certificate to remove from the store.

WARNING:

  • Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable.
  • Be absolutely certain that the certificate that is being removed is the correct certificate to remove.
  • Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.
Mandatory precaution:
  • Ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off. 
  • Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.
Powered by Wolken Software