Expired CA Certificates Remain in the VECS Trusted Root Store
search cancel

Expired CA Certificates Remain in the VECS Trusted Root Store

book

Article ID: 420832

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Expired CA certificates remain in the VECS Trusted Root store and vmdir after upgrade. 

Environment

VMware vCenter Server
Product Release: 8.0U3

Cause

vCenter 8 performs certificate health checks across VECS and VMware Directory Service. Any certificate with an expiration date in the past is flagged as unhealthy. The upgrade does not automatically remove outdated CA certificates, therefore stale/expired certificates persist and generate alarms.

Resolution

Use the vCert tool on the VCSA to identify and remove all expired certificates from both VECS and the VMware Directory (vmdir).

 

Please ensure you have a valid VAMI-based backup or offline snapshots of ALL vCenter/PSC nodes in the SSO domain before continuing.

 

Steps to perform

  1. Transfer the vCert tool to the VCSA.
  2. SSH into the vCenter Server.
  3. Navigate to the directory containing vCert.
  4. Unzip tool package.
  5. Enter the extracted directory.
  6. Execute ./vCert.py.
  7. Select Option 3 – Manage Certificates.
  8. Select Option 3 – CA certificates in VMware Directory.
  9. Identify expired certificates by number and end date.
  10. Remove expired certificates (supports comma-separated multi-removal).
  11. Repeat process for both VECS store and vmdir.

Removing expired certificates eliminates the stale entries that trigger vCenter’s certificate health alarms. After removal, certificate stores contain only valid certificates, and vCenter certificate alarms clear successfully. 

 

Additional Information

Full vCert Instructions 

Powered by Wolken Software