Determining expired SSL certificates in vCenter Server
Article ID: 343041
Updated On:
Products
Issue/Introduction
Environment
VMware vSphere ESXi 6.5.x
VMware vSphere ESXi 6.7.x
VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x
VMware vSphere ESXi 9.x
Resolution
Checking the expiration date of vCenter Server certificates
Note: To check the STS certificate (Single Sign-on Token Signing), see Checking Expiration of STS Certificate on vCenter Server.
- For the vCenter appliance, SSH into the vCenter and run:
# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
- For Windows vCenter using PowerShell:
$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
Check if the certificates are expired.
Additional Information
- Using ESXi Shell in ESXi 5.x, 6.x and 7.x
- CertificateStatusAlarm - There are certificate that expired or about to expire/Certificate Status Change Alarm Triggered on VMware vCenter Server
- View Certificate Expiration Information for ESXi Hosts
- Renew or Refresh ESXi Certificates
- Certificate Management for ESXi Hosts
Feedback
