Certificate status alarm triggers for stale certificate in VECS Store
search cancel

Certificate status alarm triggers for stale certificate in VECS Store

book

Article ID: 377269

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • You see a critical alarm in the vSphere Client or vSphere Web Client for a Certificate expiry.

  • You have renewed the certificates and have a new, valid CA Certificate in place. 
  • Upon examining the certificates, there is a certificate in the Store/Alias named "vCenter FQDN" has expired. 

Alias : vCenter_FQDN
Entry type :    Private Key
Certificate:
    Data:##
        Version:##
        Serial Number:##
           
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=vCenter_FQDN, OU=VMware Engineering
        Validity
            Not Before: MM DD TT:MM:SS YYYY GMT
            Not After : MM DD TT:MM:SS YYYY GMT
        Subject: CN=vCenter_FQDN, DC=vsphere, DC=local, C=US, OU=mID-
Authority Information Access:
                CA Issuers - URI:https://oldvCenterFQDN

  • The certificate with the old vCenter name shall be listed in VECS store

Environment

vCenter Server

Cause

There is a stale certificate entry in the VECS store, associated with an expired certificate. 

Resolution

NOTE: Make sure all vCenters in ELM are shut down and take a snapshot of all nodes for backup. For standalone vCenters, a powered-on snapshot will be sufficient.

To un-publish expired stale certificates from VECS store:

  • Backup the certificate using the following command: 

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vCenter_FQDN --alias vCenter_FQDN --output /var/core/old_machine.crt

  • Remove the certificate from the VECS store with this command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store vCenter_FQDN --alias vCenter_FQDN -y

  • Confirm that the stale Certificate is no longer present: 

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vCenter_FQDN 

  • Restart the services on the vCenter Servers. Check that all services start and operate normally, and confirm that you can login and manage the environment effectively.

Additional Information

It is recommended to remove any expired or unused certificate in the VECS store which can also lead to similar issue mentioned above. 

Powered by Wolken Software