Certificate Status" or "Root Certificate about to expire."VMware vSphere Profile-Driven Storage Service Health Alarm" and "vpxd service down" as potential symptoms of stale certificatesThe vCenter does not automatically purge expired or stale root certificates from the VECS TRUSTED_ROOTS store.
Authority Key Identifier" in your Machine SSL certificate against the "Subject Key Identifier" of the root certificate.Subject Key Identifier" information for the target root certificate from the command below/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --textSubject Key Identifier" will be marked as "Authority Key Identifier" in the Machine_SSL certificate details. It can be fetched and verified by using the command below. If there is an entry, it means that the vCenter is currently using the root certificate /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep "Alias\|Not After\|Subject:\|Issuer:"/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | lessAlias : ####################################2e7fNot After field in the certificate to identify the expiry date./usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias ####################################2e7f --output /root/<aliasID>.cer/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/<aliasID>.cer/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias ####################################2e7fNotes:
If the alias has special characters, enclose the entire alias in single quotes when using the vecs-cli command, for eg. --alias 'https://[IP]:9997/vasa'
If the command is failing with an error."Operation failed with error ERROR_OBJECT_NOT_FOUND", ignore the error and proceed further. This error will be logged if the certificate is already removed from the store as part of step 4d.
Perform a force refresh of VECS to sync the certificate from VMDIR./usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
Confirm that the certificate is no longer present.
Note: Output of this command should not list the Alias ID that was removed in the above steps./usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep <aliasID>
Restart all services on the vCentes, ensuring that all services start and respond normally, and that login and management of the environment are functioning properly.service-control --stop --allservice-control --start --all