When you encounter certificate-related issues in your vCenter Server environment, you may experience one or more of the following scenarios:

Certificate Expiry and Removal Issues:

• You receive critical alarms in the vSphere Client indicating certificate expiry with messages stating:

'TRUSTED_ROOTS' expires on <date>

• A CA certificate currently in use in your environment is expiring or has expired, and you need to remove the old certificate after installing a new certificate.
• Your attempts to remove expired CA certificates using the vSphere Client or other standard methods fail, with the certificate being automatically copied back to the VMware Endpoint Certificate Store (VECS) after deletion

General hygiene:

• That you want to remove/delete an existing trusted root certificate which is no longer needed

Common Impact: These certificate issues prevent proper certificate management, generate ongoing alarms or diagnostic warnings, and may interfere with maintenance operations or health assessments. While some scenarios may not immediately impact functionality, they indicate certificate store inconsistencies that should be resolved to maintain proper vCenter Server hygiene and avoid potential future complications during certificate operations.

To un-publish expired/expiring certificates from TRUSTED_ROOTS VECS Store:

1. List the certificates using vecs-cli.
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

2. Find the certificate that needs to be removed and make a note of the Alias.
   
   Example:
   

   Alias : 2b724e6dd2####################c3369e2e7f

   Note: There could be several certificates to remove. Any expired and not in use certificates should be removed to avoid certificate related alarms.
   
   
   
   
3. Using the Alias ID located in Step 2, run the following command to save the certificate to /root/ folder, adjusting appropriately for the environment:
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias 2b724e6dd2########c3369e2e7f --output /root/<aliasID>.cer

4. Unpublish the expired/expiring CA certificate from VMDIR, it will prompt for SSO Administrator credentials.
   

   /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/<aliasID>.cer
   

5. Delete the certificate from VECS utilizing the Alias located in Step 2:
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias 2b724e6dd2####################c3369e2e7f
   

   Notes:
   If the alias has special characters, enclose the entire alias in single quotes when using the vecs-cli command for eg. --alias 'https://[IP]:9997/vasa'
   If the command is failing with error "Operation failed with error ERROR_OBJECT_NOT_FOUND", ignore the error and proceed further. This error will be logged if the certificate is already removed from the store as part of Step 4.

6. Perform force refresh of VECS to sync certificate from VMDIR.
   

   /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

7. Confirm that the certificate is no longer present.
   
   Note: Output of this command should not be listing the Alias ID that was removed in above steps.
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias

8. Restart all services on the vCenter Servers, ensuring that all services start and respond normally, and that login and management of the environment are functioning properly.
   
   service-control --stop --all
service-control --start --all

WARNING:

• Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable.
• Be absolutely certain that the certificate that is being removed is the correct certificate to remove.
• Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.