The Data Encipherment certificate is showing as expiring or expired
search cancel

The Data Encipherment certificate is showing as expiring or expired

book

Article ID: 430608

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter triggers a Certificate Status alarm within the vCenter Server if any certificate is close to its expiration date.
  • Executing the command below shows that "Data encipherment" certificate is expired or expiring soon.

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vCenter Server 9.x

Cause

The "Data Encipherment certificate" has reached or is approaching its configured expiration limit

Resolution

Update the expired or expiring data-encipherment certificate and private key via the vCert tool, following the procedures in KB: vCert - Scripted vCenter expired certificate replacement

  1. Launch the vCert script as per the KB article vCert - Scripted vCenter expired certificate replacement
  2. Select Option 3: Manage Certificates.
  3. Select Option 6: Data Encipherment Certificate.
  4. Enter the Single Sign-On (SSO) administrator account [[email protected]]
  5. Enter the password for the SSO administrator account.
  6. When prompted at "Generate new Data encipherment certificate? [N]:", enter Y for yes to replace the certificate.

    Expected Output: 
  7. When prompted to restart the vmware-vpxd service, enter Y to proceed with the restart or N to decline.

 

Powered by Wolken Software