• Administrators may observe the "Identity source LDAP Certificate is about to expire" alarm in the vCenter Server UI, which can be verified by navigating to Monitor > Triggered Alarms.
  
• This alarm operates on a hardcoded 90-day threshold to proactively notify administrators before the associated LDAPS server certificate expires.

The server certificate associated with the Active Directory over LDAP Identity Source is expiring within 90 days.

To verify the validity of the LDAP server certificate and update it if necessary, perform the following steps:

1. Establish an SSH session to the vCenter Server and execute the following command to check the status of the currently stored LDAPS certificate:
   /opt/vmware/bin/sso-config.sh -get_identity_sources
   
   
2. Query the LDAPS server or Domain Controller directly to determine its actual certificate validity. Run the following command:
   openssl s_client -connect <DC_fqdn>:636 -showcerts 2>/dev/null | openssl x509 -noout -enddate
   Note: Ensure <DC_fqdn> is replaced with the Fully Qualified Domain Name of the Domain Controller.
   
   
3. Compare the expiration dates returned in Step 1 and Step 2. To apply the updated certificate, reconfigure the identity source by following the instructions in Broadcom KB Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS).
   
   
4. After reconfiguring the identity source with the new certificate, acknowledge and reset the alarm in the vCenter UI.