Certificate Status Alarm - Clearing BACKUP_STORES certificates in the VCSA
Article ID: 326268
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- Following alarm is present on vCenter Object in vSphere Client
Certificate Status- vCenter Certificates have been confirmed to be valid or been regenerated recently
- Reviewing the certificate stores shows expired certificates within BACKUP_STORE or BACKUP_STORE_H5C in VECS
- Run the below commands to see the status of the environmental certificates:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
- Run the below commands to see the status of the environmental certificates:
Environment
6.x
7.x
8.x
Cause
- When replacing certificates in vCenter Server Appliance, 2 backup stores are being created, BACKUP_STORE and BACKUP_STORE_H5C.
- During the replacement, the old certificates are added as entries in these stores to allow for a rollback.
- When any of the entries in these store is expired or about to expire, vSphere Client will display a Certificate Status Alarm.
Resolution
The script previously attached to this KB is deprecated.
Use the new improved certificate management tool vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow.
- Download and install vCert on the vCenter Server Appliance as described in Installation Section.
- Use Option 12 - Clear expired certificates in BACKUP_STORE in VECS from menu Manage Certificates to clear the expired certificates from the backup stores.
Note: Use WinSCP to upload the vCert tool to VCSA. For additional information, see Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B.
Additional Information
Mandatory precaution:
- Ensure that the required offline snapshot of VCSA is taken.
- Ensure that all Platform Services Controllers in the federated environment (ELM, enhanced linked mode) are shut down and take a snapshot of all of them. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems.
- Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.
- This script should only be run on External PSC and VCSA's that have BACKUP_STORES expired or expiring.
Feedback
Yes
No
Powered by
