vCenter Expired Certificates

February 19, 2023 2 By Allan Kjaer

I had a strange problem in my Lab, that was showing that there was expired certificates in the vCenter.

Running the following command on the vCenter Appiance:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This show that there was no expired certificates, but there was a expired Certificate Request.

The __MACHINER_CSR was expired, I think this was leftover becaurse created 1 request, and I did not use that for creating a new certificate.

NOTE: the solution is not validated by VMware Support, so use at your own risk, or contact VMware support to get a supported solution.

To remove the Certificate request that is expired, use this command on the vCenter Appliance, before running the command, reset the alarm to green

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR

If you want to check if this fixed the problem, restart all the services or reboot the vCenter Appliance, otherwise it may take up to 24 Hours before the alarm shows again.

Please share this page if you find it usefull: