When you use the vCert tool to reset or regenerate vCenter Server certificates, the newly created certificates retain the same expiration date as the original certificates. This occurs when the VMCA (VMware Certificate Authority) root certificate is nearing expiration. Because subordinate certificates cannot have a validity period exceeding their signing CA, all regenerated Machine SSL, solution user, STS, and data-encipherment certificates inherit the limited validity from the expiring VMCA root. The vCert tool completes without errors, but certificate expiration alarms persist and the environment remains at risk of certificate-related outages.

Additional symptoms reported:

• Certificate expiration warnings appear in vCenter for multiple stores:
  • "Data-encipherment certificate in VECS is about to expire"
  • "Certificate(s) in VECS TRUSTED_ROOTS store is about to expire"
  • "MACHINE_SSL_CERT certificate in VECS is about to expire"
  • "Solution user certificate(s) in VECS is about to expire"
  • "STS Signing Certificates are about to expire"
• ESXi Host Certificate Status warnings on multiple hosts
• Renewing ESXi host certificates generates new certificates that expire at the same time as the originals
• All certificates share the same expiration date

• vCenter Server Appliance 7.x, 8.x using VMCA-signed certificates (default configuration)
• vCenter Server Appliance 6.x using VMCA-signed certificates (default configuration)

Note: This issue does not apply to environments using custom third-party CA-signed certificates.

vCenter Server uses the VMware Certificate Authority (VMCA) as an internal certificate authority to sign all subordinate certificates, including Machine SSL, solution user, STS, and data-encipherment certificates. A fundamental constraint of certificate chains is that subordinate certificates cannot have a validity period that exceeds their signing CA certificate.

When you run vCert option 6 ("Reset all certificates with VMCA-signed certificates"), the tool regenerates the subordinate certificates but does not renew the VMCA root certificate itself. If the VMCA root certificate is nearing expiration, the newly generated subordinate certificates are signed with the existing VMCA root and inherit its limited remaining validity period.

This results in new certificates that expire on the same date as the original certificates, and the certificate expiration alarms persist.

Before proceeding: Take a powered-off snapshot of the vCenter Server virtual machine. If the vCenter Server is in Enhanced Linked Mode, snapshot all linked vCenter Server VMs simultaneously.

1. Connect to the vCenter Server Appliance via SSH as root.

2. Install and launch the vCert tool per vCert - Scripted vCenter expired certificate replacement

3. Select option 3 (Manage Certificates) from the main menu.

4. Select option 9 (VMCA certificate) to renew the VMCA root certificate first.

   • Follow the prompts to generate a new VMCA root certificate.
   • The tool displays confirmation when complete.

5. Return to the Manage Certificates menu and select option 2 to regenerate the Machine SSL and all solution user certificates.

6. When prompted, select the option to update the STS signing certificate.

7. Restart all vCenter services when prompted, or manually restart using:

   service-control --stop --all && service-control --start --all
   

8. Verify the certificates now have extended expiration dates:

   for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
   

9. Refresh ESXi host certificates:

   • In the vSphere Client, navigate to each ESXi host.
   • Select Configure > Security & Users > Certificate.
   • Click Renew or Refresh CA Certificates.

10. Re-authenticate any third-party systems connected to vCenter Server (backup solutions, NSX Manager, monitoring tools) to accept the new certificates.

• For more information on the vCert tool and its menu options, see vCert - Scripted vCenter Expired Certificate Replacement.
• For more information on renewing the VMCA root certificate, see Renew Root/VMCA Certificate in vCenter.
• For more information on verifying certificate status via command line, see Verify and Resolve Expired vCenter Server Certificates Using the Command Line Interface.
• For more information on certificate expiration alarms, see CertificateStatusAlarm - Certificates Expired or About to Expire.
• For more information on regenerating all certificates using certificate-manager, see Regenerate vSphere 6.x, 7.x, and 8.0 Certificates Using Self-Signed VMCA.
• For more information on refreshing ESXi host certificates, see Renew or Refresh ESXi Certificates.
• For more information on running pre-upgrade diagnostics, see Using the VCF Diagnostic Tool for vSphere (VDT).