Certificate alarm - Clearing BACKUP_STORES certificates in the VCSA
Article ID: 326268
Updated On: 04-14-2025
Products
VMware vCenter Server
Issue/Introduction
Despite the vCenter certificates already having been confirmed as valid, or having been regenerated, vSphere Client still continues to display certificate status alarms, when there are any expired or about to expired certificates contained in either BACKUP_STORE or BACKUP_STORE_H5C in VECS
This article provides steps for automating the clean-up of expired Certificates from the BACKUP_STORES and BACKUP_STORE_H5C in the VCenter Server Appliance.
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
When replacing certificates in vCenter Server Appliance, 2 backup stores are being created, BACKUP_STORE and BACKUP_STORE_H5C. During the replacement, the old certificates are added as entries in these stores to allow for a rollback.
When any of the entries in these store is expired or about to expire, vSphere Client will display a Certificate Status Alarm.
When any of the entries in these store is expired or about to expire, vSphere Client will display a Certificate Status Alarm.
Resolution
The script previously attached to this KB is deprecated.
Use the new improved certificate management tool vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow.
- Download and install vCert on the vCenter Server Appliance as described in Installation Section.
- Use Option 11 - Clear expired certificates in BACKUP_STORE in VECS from menu Manage Certificates to clear the expired certificates from the backup stores.
Note: You may use WinSCP to upload the vCert tool to VCSA. For additional information, see https://knowledge.broadcom.com/external/article/326317
Additional Information
Mandatory precaution:
- Ensure that the required offline snapshot of VCSA is taken.
- Ensure that all Platform Services Controllers in the federated environment (ELM, enhanced linked mode) are shut down and take a snapshot of all of them. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems.
- Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.
- This script should only be run on External PSC and VCSA's that have BACKUP_STORES expired or expiring.
Feedback
Was this article helpful?
Yes
No
Powered by
