Delete an expired CSR from MACHINE_SSL_CERT VECS Store
search cancel

Delete an expired CSR from MACHINE_SSL_CERT VECS Store

book

Article ID: 375304

calendar_today

Updated On:

Products

VMware vCenter Server VMware Cloud Foundation

Issue/Introduction

  • After using the vCenter UI to generate a new CSR for certificate renewal, the vCenter UI displays a "certificate status" alarm for expired/expiring CSR.
  • VDT report shows expired CSR

Cause

When utilizing the vCenter UI to generate certificates, a CSR is generated and stored within the VECS store MACHINE_SSL_CERT by default. This generated CSR does not automatically get removed.

As designed, the Certificate Status alarm is then triggered approximately 60 or 90 days before the certificate expires, or when the certificate has fully expired as observed in any of the VECS stores.

Resolution

An expired CSR (__MACHINE_CSR) within the VECS store MACHINE_SSL_CERT can be safely ignore as it does not affect the function of vCenter.

However, should it be needed to remove the CSR to avoid triggering the Certificate Status alarm, follow the below steps.

  1. SSH to the vCenter Server via root
  2. List and review the current certificates within the VECS store:

    for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After"; echo "===================================================="; done;

    Example Output Snippet
    [*] Store : MACHINE_SSL_CERT
    Alias : __MACHINE_CERT
                Not After : Aug 22 20:00:00 2026 GMT
    Alias : __MACHINE_CSR
                Not After : Aug 20 10:00:00 2024 GMT

    Note: By default, all MACHINE_CSRs are stored within the MACHINE_SSL_CERT store. The CSRs are valid for only 1 day and will trigger the
    Certificate Status alarm the following day when they expire.

  3. Remove the MACHINE_CSR certificate:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR


    Note: A restart of the vCenter Server services or a reboot is not required for the deletion to go into affect.

  4. Within the vCenter UI, reset the Certificate Status alarm to green.

Additional Information

CertificateStatusAlarm - There are certificate that expired or about to expire/Certificate Status Change Alarm Triggered on VMware vCenter Server

The built-in alarm like Certificate Status can be edited to send mail. Edit the alarm under Alarm Definitions, click the Radial Button, select Edit, select Send mail, and add the desired mail/ distribution list. Follow the wizard to finish. Refer to Configure Mail Sender Settings for setting up the target mail server.