An expired CSR (__MACHINE_CSR) within the VECS store MACHINE_SSL_CERT can be safely ignored as it does not affect the function of vCenter.

However, should it be needed to remove the CSR to avoid triggering the Certificate Status alarm, follow the below steps.

1. SSH to the vCenter Server via root
2. List and review the current certificates within the VECS store:
   
   for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After"; echo "===================================================="; done;

Example Output Snippet
   

   [*] Store : MACHINE SSL CERT
   Alias : __MACHINE_CERT
                       Not After : [Date and Time]

   Alias : __MACHINE_CSR
                       Not After : [Expired Date and Time]

   Note: From the above output, we will see that the MACHINE_CSR has an already expired date.
   
   By default, all MACHINE_CSRs are stored within the MACHINE_SSL_CERT store. The CSRs are valid for only 1 day and will trigger the Certificate Status alarm the following day when they expire.
   
   
3. Remove the MACHINE_CSR certificate:
   
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR

   Note: A restart of the vCenter Server services or a reboot is not required for the deletion to go into effect.
   

4. Within the vCenter UI, reset the Certificate Status alarm to green.