Determining expired vCenter Server and ESXi 6.x and 7.0.x SSL certificates
search cancel

Determining expired vCenter Server and ESXi 6.x and 7.0.x SSL certificates

book

Article ID: 344952

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • This article provides steps to find expired vCenter Server and ESXi certificates.


Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Resolution

  1. Check Single Sign-on Token Signing (STS) certificate Checking Expiration of STS Certificate on vCenter Server
  2. Run the following command for your environment:
  • vCenter Server Appliance:In a console window or SSH session to the vCenter Server virtual machine, run the following command:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

  • vCenter Windows: Run the following command usinf POwerShell from the vCenter Server virtual machine console, RDP session or physical device using 
$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in &"$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;&"$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
  1. Check the list to see if any of the certificates have expired.
  1. vSphere Web Client: See below for instructions on how to view the certificate from:
  1. See below for information on how to resolve expired certificates.


To check the expiration date on ESXi
  1. Log in to ESXi as the root user using SSH.
  2. Run the following command:

    openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate

    You will see output similar to the following
# openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate
notAfter=Aug 24 21:48:47 2023 GMT




To renew your certificate, see below.
Renewing ESXi certificates
 


Workaround:
  1.  


Additional Information

Check and resolve expired vCenter Server certificates from command line (82332)

Using ESXi Shell in ESXi 5.x, 6.x and 7.x (2004746)

CertificateStatusAlarm - There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server (68171)


View vCenter Certificates with the vSphere Web Client

View Certificate Expiration Information for Multiple ESXi Hosts

Renew or Refresh ESXi Certificates

Certificate Management for ESXi Hosts

Impact/Risks:

Warning:
  • Before changing the certificate, ensure that you have taken a proper snapshot of your SSO domain. This means that all vCenter Servers or PSCs in the SSO domain must be shut down at the same time, taken a snapshot, and powered on again. If you need to revert to one of these snapshots, shut down all nodes and revert all nodes to the snapshot. Failure to perform these steps will result in replication issues across the PSC database.