Certificate Status Alert for SMS store Certificates.
Article ID: 371774
Updated On:
Products
Issue/Introduction
- vCenter getting certificate status alarm "VMware vSphere Profile-Driven Storage Service has a warning status".
Example:
- Validation of the SMS certificate store using the below command indicates that one or more certificates are approaching expiration as illustrated below:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
Environment
VMware vCenter Server
Cause
This alert occurs when one or more certificates within the SMS store are approaching expiration date.
Resolution
To resolve this issue, follow the below steps:
- Take a snapshot on the vCenter Server (For Linked vCenter Servers, refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice)
- Renew the expired SMS certificate by using the vCert Script (as highlighted on the alarm) with options:
- Option 3 (Manage certificates) ->
- Option 5 (SMS certificates) ->
- Option 1 (Replace SMS self-signed certificate)
- Option 5 (SMS certificates) ->
- Option 3 (Manage certificates) ->
- Select the
Reset to Greenon the alarm action on vSphere client - Remove the snapshot.
Additional Information
If you are using vVols, the SMS (Storage Monitoring Service) certificate connects your storage array's VASA provider and vCenter. If this breaks, your vVols don't go offline (data continues to flow), but they become unmanageable (no snapshots, no migrations, no power-ons). Some issues you might see and the steps to fix them:
Trust Break:
When you replace the SMS cert, the Storage Array (Unity/PowerStore) still expects the old thumbprint.
The Result: The VASA Provider may go Offline.
The Fix: Go into the PowerStore/Unity Manager and "Update" or "Refresh" the vCenter connection to accept the new certificate identity.
VASA Provider:
Sometimes, even after updating the array, vCenter refuses to reconnect to the VASA provider.
The Fix: You may need to Remove and Re-add the Storage Provider in the vSphere Client.
Warning: Please note that removing a VASA provider is non-disruptive to running VMs. It simply refreshes the management registration.
ESXi vvold Incompatibility:
The ESXi hosts have a service called vvold that talks to the VASA provider. It caches the certificate of the VASA provider.
The Problem: If the VASA provider gets a new certificate (signed by your new vCenter SMS/Root), the ESXi host might reject it because it’s different from what’s in its cache.
The Symptom: VMs show as "Inaccessible" after a power cycle.
The Fix:
vSphere UI: Right-click Host > Certificates > Refresh CA Certificates.
vSphere UI: Right-click Host > Certificates > Renew Certificate.
Host CLI (Mandatory): SSH into the host and run the command :
/etc/init.d/vvold ssl_reset && /etc/init.d/vvold restartUI: Right-click Host > Storage > Rescan Storage.
Feedback
