Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry list --store TRUSTED_ROOTS --text | more
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less
Alias : 2b724e6dd26e38b369a020f279f3bfc3369e2e7f
X509v3 Subject Key Identifier:
ED:CF:46:E5:CA:A6:8A:75:04:C0:D4:7B:2B:45:2C:08:53:10:F9:18
Note: There Could be several Certificates to remove. Any expired and not in use certificates should be removed to avoid certificate related alarms.
Windows:This will output a list of Certificates published to VMDIR. It will look similar to the following output:
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert list
Appliance:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli.exe trustedcert list
Enter password for [email protected]:
Number of certificates: 3
#1:
CN(id): EDCF46E5CAA68A7504C0D47B2B452C085310F918
Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc1, OU=VMware
CRL present: yes
#2:
CN(id): 72B1C4C56A1A8A66B8C57182D551A29B78531ED0
Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc2, OU=VMware
CRL present: yes
#3:
CN(id): 7AF0962806F5997107BF9A213E86DED4F853FF70
Subject DN: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc1, OU=VMware
CRL present: yes
EDCF46E5CAA68A7504C0D47B2B452C085310F918
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert get --id EDCF46E5CAA68A7504C0D47B2B452C085310F918 --login [email protected] --password <PASSWORD> --outcert C:\temp\oldcert.cer
Appliance:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id EDCF46E5CAA68A7504C0D47B2B452C085310F918 --login [email protected] --password <PASSWORD> --outcert /tmp/oldcert.cer
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert unpublish --cert C:\temp\oldcert.cer
Appliance:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli trustedcert list
Appliance:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry delete --store TRUSTED_ROOTS --alias 2b724e6dd26e38b369a020f279f3bfc3369e2e7f
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias 2b724e6dd26e38b369a020f279f3bfc3369e2e7f
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry list --store TRUSTED_ROOTS --text | findstr Alias
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli force-refresh
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
Windows:
C:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli entry list --store TRUSTED_ROOTS --text | findstr Alias
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias
Note:
There might be certain situations were there are still older entries in TRUSTED_ROOTS that do not contain the certificate option "X509v3 Subject Key Identifier".
The best way to deal with this kind of scenario is to compare the CN(id) information of the other entries provided by dir-cli with the Subject Key Identifiers for those entries in TRUSTED_ROOTS which actually have them.
Once these have identified, you can compare the subject information for the remaining CN(id)s with the "Subject" option of the certificate in the VECS TRUSTED_ROOTS store to identify which one matches the certificate you want to remove from the store.
WARNING: