"One or more VECS stores are missing permissions" in vCert

Products

VMware vCenter Server

Issue/Introduction

When running the Check current certificate status in vCert, the following warning appears: "One or more VECS stores are missing permissions".
The vCert log (/var/log/vmware/vCert/vCert.log) contains the following entry: INFO Could not find read permission for user vsan-health in VECS store vpxd-extension

And shows "Permissions" for vpxd-extension VECS store

Log : /var/log/vmware/vCert/vCert.log

-->
--> PERMISSIONS FOR STORE: [vpxd-extension]
--> OWNER : root
--> USER ACCESS
--> vlcm read
--> wcp read
--> 1020 read
--> deploy read
--> infraprofile write
--> updatemgr read
--> vsphere-ui read
--> vpxd read
--> analytics read
--> vsm read
--> imagebuilder read
--> content-library read
--> eam read
--> 1004 read
--> sps write
--> vstatsuser read
2026-04-10T12:59:32 EDT -04:00 INFO Users with expected read permissions: vlcm wcp deploy updatemgr vsphere-ui vpxd vsm vsan-health imagebuilder content-library eam vstatsuser analytics
2026-04-10T12:59:32 EDT -04:00 INFO Users with expected write permissions: infraprofile sps
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user vlcm in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user wcp in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user deploy in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user updatemgr in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user vsphere-ui in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user vpxd in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user vsm in VECS store vpxd-extension

2026-04-10T12:59:32 EDT -04:00 INFO Could not find read permission for user vsan-health in VECS store vpxd-extension

2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user imagebuilder in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user content-library in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user eam in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user vstatsuser in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found read permission for user analytics in VECS store vpxd-extension
2026-04-10T12:59:32 EDT -04:00 INFO Found write permission for user infraprofile in VECS store vpxd-extension
2026-04-10T12:59:33 EDT -04:00 INFO Found write permission for user sps in VECS store vpxd-extension
2026-04-10T12:59:33 EDT -04:00 INFO Task Status: PERMISSIONS
2026-04-10T12:59:33 EDT -04:00 INFO Task: SMS

Environment

vCenter 7.x
vCenter 8.x

Cause

This issue occurs when the vsan-health service user is not explicitly granted 'read' access to the vpxd-extension VECS store, often following a certificate replacement or vCenter upgrade.

Resolution

Grant read access for vsan-health in vpxd-extension VECS store.

Access the vCenter via SSH
Check the current permissions

/usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name vpxd-extension

Expected output format:

# /usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name vpxd-extension
PERMISSIONS FOR STORE: [vpxd-extension]
OWNER : root
USER ACCESS
vlcm read
wcp read
deploy read
infraprofile write
updatemgr read
vsphere-ui read
vpxd read
analytics read
vsm read
vsan-health read
imagebuilder read
content-library read
eam read
sps write
vstatsuser read
Run the below command to set the read permission for missing vsan-health

/usr/lib/vmware-vmafd/bin/vecs-cli store permission --name vpxd-extension --user vsan-health --grant read
Relaunch vCert and verify the warning is no longer present.