This article will help to remove the Certificate Status error by identifying the expired/expiring certificates and direct users to the right articles to replace the certificate.

• ESXi host alarm certificate status
• Monitor or track SSL, SMS and, STS certificate expiration
• There is an alarm in the vSphere Client for Certificate Status

• vCenter - /var/log/vmware/vpxd/vpxd.log will show the following message:

• vpxd.cert.threshold
• vpxd.certmgmt.certs.hardThreshold
• vpxd.certmgmt.certs.pollIntervalDays

Review the certificate expiration values within each Keystore of the VMware Endpoint Certificate Store (VECS) to determine which certificate is close to its expiration date or that has already expired.

1. Follow steps in Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x
2. Perform one of the below options to remove the certificates based on where an expired or expiring certificate is identified in VMware Endpoint Certificate Store:

MACHINE_SSL_CERT VECS

• Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate
• Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate
• Delete an expired CSR from MACHINE_SSL_CERT VECS Store
  
  /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR -y

Solution Users VECS - machine, vsphere-webclient, vpxd, vpxd-extension

• How to replace the vSphere 6.0 Solution User certs with CA-signed certs
• How to replace the vSphere 6.0 Solution User certs with VMCA issued certs

SMS VECS

• "VasaServiceException: org.apache.axis2.AxisFault: certificate has expired", SMS Certificate Expiry Alarm after upgrading vCenter Server from 5.x to 6.x   

TRUSTED_ROOTS VECS

• Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

Data-encipherment VECS

• How to replace an expired data-encipherment certificate on vCenter Server

BACKUP_STORE VECS

1. Identify the alias of the expired certificate by executing the below command:

2. Export the certificate as a backup copy.

3. Delete the Expired certificate from VECS Store.

 
Note

• For the vCenter Appliance (VCSA) automated version of this KB section, please follow Certificate alarm - Clearing BACKUP_STORES certificates in the VCSA.
• If the certificate is a part of a third-party solution, VMware recommends working with the third-party vendor to upgrade the solution's certificate.

• VMware Skyline Health Diagnostics for vSphere - FAQ
• Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
• Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x

For STS certificate Expired/Expiring/Signing Certificate

• Checking Expiration of STS Certificate on vCenter Servers
• "Signing certificate is not valid" error in vCenter Server Appliance

Note: STS/Signing Certificate is not stored in VECS store, hence not covered in vCenter Server alarms. Please verify this Certificate by following the above steps before proceeding with the replacement of other Certificates stored in VECS store as replacement of these certificates will fail if STS certificate is already expired.