• You see a certificate expiration alarm in vCenter referencing the VECS TRUSTED_ROOTS store.

• This occurs in both standalone vCenter and VMware Cloud Foundation (VCF) environments when expired CA certificates remain in the trust store after a previous certificate renewal or replacement operation.

• The vSphere Client displays the following error:

  Certificate(s) in VECS TRUSTED_ROOTS store has expired KB 385107

• These leftover certificates do not affect day-to-day operations but generate persistent alarms. If left unresolved, they can cause validation failures during future certificate operations, upgrades, or VCF workflows.

Additional symptoms reported:

• VCF vCenter displays the expired certificate alarm, but SDDC Manager shows no expired certificates
• Alarm persists after reviewing certificates in SDDC Manager UI

• vCenter Server 8.x without SDDC Manager
• VMware Cloud Foundation 5.x with vCenter Server managed by SDDC Manager

When you renew or replace certificates in vCenter, the old CA certificates in the TRUSTED_ROOTS store are not automatically removed.

These remnants remain valid entries in the VMware Endpoint Certificate Store (VECS) until they expire. Once expired, vCenter flags them with the certificate status alarm even though they are no longer in use.

In VMware Cloud Foundation environments, vCenter and SDDC Manager maintain independent trust stores with no synchronization between them.

An expired certificate may exist in one trust store but not the other, which is why SDDC Manager may show no certificate issues while vCenter displays the alarm.

Prerequisites

1. Take a powered-off snapshot of the vCenter Server Appliance.
2. For Enhanced Linked Mode environments, shut down all linked vCenter Servers and snapshot each one before proceeding.
3. For VMware Cloud Foundation environments, also take a powered-off snapshot of the SDDC Manager appliance.

Option A: Remove expired certificates using the vCert tool

1. Install vCert on the vCenter Server Appliance using the steps in vCert - Scripted vCenter expired certificate replacement.
2. Run the tool: ./vCert.py
3. Select Manage Certificates.
4. Select CA certificates in VMware Directory.
5. Review the certificate list and identify expired certificates by their end dates.
6. Enter the corresponding numbers for the expired certificates to remove them (separate multiple entries with commas).

Option B: Remove expired certificates manually

1. Follow the steps in Verify and remove CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS) to remove the expired CA certificates from the TRUSTED_ROOTS store using vecs-cli and dir-cli commands.

Additional steps for VMware Cloud Foundation environments

vCenter and SDDC Manager maintain independent trust stores. After removing expired certificates from vCenter, verify whether the same expired certificates exist in SDDC Manager.

1. Follow the steps under "To delete a stale certificate in trust store" in How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores to check for and remove any expired certificates from the SDDC Manager trust store.

Verification

1. In the vSphere Client, navigate to the Monitor tab.
2. Locate the certificate status alarm and select Reset to Green to clear the triggered alert.

Related articles:

• For more information on the vCert certificate management tool, see vCert - Scripted vCenter Expired Certificate Replacement.
• For more information on manually removing certificates from the TRUSTED_ROOTS store, see Verify and Remove CA Certificates from the TRUSTED_ROOTS Store in the VMware Endpoint Certificate Store.
• For more information on SDDC Manager trust store operations, see How to Add/Delete Custom CA Certificates to SDDC Manager and Common Services Trust Stores.
• For more information on certificate status alarms and other VECS stores, see CertificateStatusAlarm - There Are Certificates That Expired or About to Expire.