When utilizing the vCenter UI to generate certificates, a CSR is generated and stored within the VECS store MACHINE_SSL_CERT by default. This generated CSR does not automatically get removed.
As designed, the Certificate Status alarm is then triggered approximately 60 or 90 days before the certificate expires, or when the certificate has fully expired as observed in any of the VECS stores.
An expired CSR (__MACHINE_CSR) within the VECS store MACHINE_SSL_CERT can be safely ignore as it does not affect the function of vCenter.
However, should it be needed to remove the CSR to avoid triggering the Certificate Status alarm, follow the below steps.
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After"; echo "===================================================="; done;
Example Output Snippet[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Aug 22 20:00:00 2026 GMT
Alias : __MACHINE_CSR
Not After : Aug 20 10:00:00 2024 GMT
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR
The built-in alarm like Certificate Status can be edited to send mail. Edit the alarm under Alarm Definitions, click the Radial Button, select Edit, select Send mail, and add the desired mail/ distribution list. Follow the wizard to finish. Refer to Configure Mail Sender Settings for setting up the target mail server.