Expired KMS server certificate will not be automatically removed from vecs store
Article ID: 383055
Updated On:
Products
Issue/Introduction
When an external Key Management Server (KMS) is connected to vCenter Server, the vCenter Server also stores the KMS certificate in the vSphere Endpoint Certificate Store (VECS).
However, due to current limitations, when the KMS server certificates expires, it is not automatically being removed from VECS.
Environment
- VMware vCenter Server 6.7
- VMware vCenter Server 7.0.x
- VMware vCenter Server 8.0.x
Cause
Current vCenter Server version do not have an automatic logic to remove expired KMS server certificates from the VECS store.
The expired KMS server certificate entries in VECS can however be removed manually by
- invoking the uploadKmipServerCert operation
- using the vecs-cli tool available in VCSA
The expired KMS server certificate in the VECS store doesn't influence the connection between vCenter and KMS server.
Resolution
Broadcom is planning to release a fix to address the limitation of removing expired certificates from the KMS store in a future update. Engineering has acknowledged the issue and will incorporate this requirement as part of a future feature enhancement. In the meantime, as a workaround, you can use the following steps to manually remove the expired KMS certificate from the VECS store:
- To find the expired certificate entry(s) in the KMS_ENCRYPTION store, run the following command:
# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store KMS_ENCRYPTION --text | grep -E "Alias :|Not After :" - Note down the Alias(es) for any entry, where "Not After" is older than the current date, then to delete the expired entry(s) from the store, run the following command while replacing <alias_name_from_step1> with the specific alias of the entry you want to delete:
# /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store KMS_ENCRYPTION --alias <alias_name_from_step1>
Feedback
