Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x
search cancel

Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x

book

Article ID: 343041

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides steps to find expired vCenter Server and ESXi certificates.

Environment

VMware vCenter Server 6.x
VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x

Resolution

Checking the expiration date of vCenter Server certificates
Checking the expiration date of ESXi certificates

Checking the expiration date of vCenter Server certificates

  1. Check the Single Sign-on Token Signing (STS) certificate, see Checking Expiration of STS Certificate on vCenter Server.
  2. Run the command for your environment:
  • vCenter Appliance: Run the following command in a console window or SSH session to the vCenter VM:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

Run the following command in a console window or SSH session to the vCenter VM

  • vCenter Windows: Run the following command from the vCenter VM console, RDP session, or physical device using PowerShell:

$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}

Run the following command from the vCenter VM console, RDP session, or physical device using PowerShell

  1. Look at the list to see if any of the certificates are expired.
Look at the list to see if any of the certificates are expired
  1. To view certificates from vSphere Web Client see:
  1. For information on how to resolve expired certificates see:
 

Checking the expiration date of ESXi certificates

  1. Using SSH log into ESXi as the root user.
  2. Run this command:

    openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate

    For example

    openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate
    notAfter=Aug 24 21:48:47 2023 GMT


    openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate


    To renew or refresh certificates see:
    Renew or Refresh ESXi Certificates

 


Additional Information



Impact/Risks:

Warning:

Before making any changes to certificates, ensure you have taken proper snapshots of your SSO domain. This means that you must shut down all vCenters or PSCs that are in the SSO domain at the same time, then snapshot them, and power them on again.  If you need to revert to one of these snapshots, shut all the nodes down, and revert all nodes to the snapshot. Failure to perform these steps will lead to replication problems across the PSC databases.