vCert tool Reports VMDIR certificate expired status
search cancel

vCert tool Reports VMDIR certificate expired status

book

Article ID: 405123

calendar_today

Updated On:

Products

VMware vCenter Server 8.0 VMware vCenter Server

Issue/Introduction

  • When checking the vCenter Server certificates using the vCert tool, the VMdir certificate is reported as expired.

  • Trusted roots are not expired, and there are no issues with other services.

  • When running option 1, “Check current certificate status,” in the vCert tool, the “Checking VMdir certificate” item is shown as expired.

    • Checking Certificate Status
-----------------------------------------------------------------
Checking VMDir certificate                                EXPIRED

  • The following log entry was found in the vCert.log file.

    • /var/log/vmware/vCert/vCert.log
    • YYYY-MM-DDTHH:MM:SS - [operation.check_certificate - check_file_system_certificate] - INFO - Checking certificate at /usr/lib/vmware-vmdir/share/config/vmdircert.pem

YYYY-MM-DDTHH:MM:SS - [operation.check_certificate - check_certificate_basic] - WARNING - Certificate is expired

 

Environment

vCenter Server 7.0.x

vCenter Server 8.0.x

Cause

  • As of VMware vCenter Server 7.x and later, the VMDIR certificate is no longer actively used by the system. This certificate has been deprecated and is not required for normal vCenter operations.
  • Legacy certificate files remain in the system from previous versions
  • The legacy certificate file "/usr/lib/vmware-vmdir/share/config/vmdircert.pem" still remains on the system.
  • The vCert check utility continues to monitor these files even though they're no longer functional
  • The certificate files exist as stale remnants but do not impact system functionality

Resolution

Workaround 1:

Step 1: Backup and Remove the Stale Certificate File

  •  Navigate to the vmdir config directory

cd /usr/lib/vmware-vmdir/share/config

  • Create a backup of the existing file (optional)

cp vmdircert.pem vmdircert.pem.backup

  • Remove the stale certificate file

rm vmdircert.pem

Step 2: Verify Resolution
After removing the file, certificate expiration warnings for vmdir should no longer appear in:


Workaround 2:

Alternative Approach (If File Removal Causes Issues or If vmdircert.pem file is Missing)

  •  Export current Machine SSL certificate

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /tmp/machine_ssl.pem
  • Replace the vmdir certificate with Machine SSL

    cp /tmp/machine_ssl.pem /usr/lib/vmware-vmdir/share/config/vmdircert.pem
  • Clean up temporary file

    rm /tmp/machine_ssl.pem

After applying the above workaround ,  restart vCenter services using the command  (service-control --stop --all && service-control --start --all), then re-run vdt script vCert - Scripted vCenter Expired Certificate Replacement

vCert - Option 1 - "Checking VMDir certificate" will no longer be showing in the "Checking Certificate Status" field

Powered by Wolken Software