You see alarm in the vSphere Client or vSphere Web Client for a Certificate expiry

vCenter Server 7

vCenter Server 8

vCenter Server monitors all the certificates on VMware Endpoint Certificate Store. It triggers a Certificate Status alarm within VMware vCenter Server if any certificate is expired

Before proceeding please take appropriate snapshots of the vCenter

• For Standalone vCenter you can take online snapshot of the vCenter
• If Linked Mode Enabled take offline snapshots of all vCenters

Run this command to identify expired certificates and stores they are in

• for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

List the certificates and make note of the certificate Alias (in this example we are using vsphere-webclient store)

• /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vsphere-webclient --text | less

Delete certificate with command below (in this example we are deleting alias Vcenter-oracle from vsphere-webclient store)

• /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store vsphere-webclient --alias ######

Note: Modify the commands above to match the store and alias you would like to remove