• After running VDT script on a vCenter Server, a Certificate Expiration Check failure is flagged:

VMware vCenter Server 7.x

VMware vCenter Server 8.x

• VDT script flags the certificate has expired while performing general vCenter Server health check.
• Post the vCenter certificate renewal or replacement the old CA certificates in the TRUSTED_ROOTS store are not automatically removed.
• Remnants remain as valid entries in the VMware Endpoint Certificate Store (VECS) until they expire. Once expired, vCenter flags them with the certificate status alarm even though they are no longer in use.

Prerequisites

1. Standalone vCenter: Take a powered-off snapshot of the vCenter Server Appliance (or do not include virtual memory before taking the snapshot).
2. Enhanced Linked Mode (ELM): Shut down all linked vCenter Servers and take a snapshot of each node before proceeding.

Option A: Remove expired certificates using the vCert tool.

1. Install vCert on the vCenter Server Appliance following the steps in vCert - Scripted vCenter expired certificate replacement.
2. Run the tool: ./vCert.py
3. Select Manage Certificates.
4. Select CA certificates in VMware Directory.
5. Review the certificate list and identify expired certificates by their end dates.
6. Enter the corresponding numbers for the expired certificates to remove them (separate multiple entries with commas).

Option B: Remove expired certificates manually.

1. Follow the procedures in Verify and remove CA Certificates from the TRUSTED_ROOTS store.
2. Use the vecs-cli and dir-cli commands as documented to manually purge the expired CA certificates from the TRUSTED_ROOTS store.