topic Re: Cleanup old trusted root certificates from PSC in VMware vCenter™ Discussions

Cleanup old trusted root certificates from PSC

wreedMH — Wed, 06 Dec 2017 22:20:20 GMT

I have a customer that has had to reset their certificates a few times for unknown reasons using the certificate-manager utility. The problem is the PSC certificate manager web interface and the zip file to install them on users PC contain all the old unused ones still.

Is it possible to clean this up? When you click delete in the PSC web interface they just come right back.

Re: Cleanup old trusted root certificates from PSC

AishR — Tue, 02 Jan 2018 07:38:11 GMT

Managing Certificates with the Platform Services Controller Web Interface and Reset All Certificates might be of help to you

Re: Cleanup old trusted root certificates from PSC

fm2ahmed — Fri, 09 Mar 2018 16:32:52 GMT

Hi,

That didn't help. I am looking for a much simple solution. I used webui and vecs-cli to delete old certs from trusted store but unable to. The certs come back as soon as you delete them. Please help.

Regards,

Farooq Ahmed

Re: Cleanup old trusted root certificates from PSC

wreedMH — Fri, 09 Mar 2018 16:34:12 GMT

Farooq Ahmed

I have the same problem!

Re: Cleanup old trusted root certificates from PSC

fm2ahmed — Fri, 09 Mar 2018 22:23:27 GMT

Did u manage to resolve the issue??

Re: Cleanup old trusted root certificates from PSC

wreedMH — Mon, 12 Mar 2018 02:13:43 GMT

I rebuilt the vCenter, not because of this problem, but for other reasons.

I still would like to know how to clean the certs up in case I run into this in the future though!

Re: Cleanup old trusted root certificates from PSC

msripada — Wed, 14 Mar 2018 00:08:33 GMT

VMware Knowledge Base

Kb to cleanup trusted root store certificates . Please be careful and take certificates copied on different locations for safety precautions..

Thanks,

Re: Cleanup old trusted root certificates from PSC

JesusRulesMe2 — Thu, 04 Apr 2019 19:13:05 GMT

I tried all of the steps listed to no avail. Finally I opened a case with VMware and they walked me through using the certool in order to export the certificates, then run a script that revokes all the expired certificates. This is not officially supported by VMware yet, so try at your own risk. Tune in Error: Revoke expired certificates from VMware VCSA with Embedded PSC

Re: Cleanup old trusted root certificates from PSC

BenediktFrenzel — Fri, 05 Apr 2019 11:00:57 GMT

To remove the old Certificates from the Trusted Root you may want to follow the next steps:

Backup the PSC and the vCenter Server
Get the list of the current TRUSTED_ROOTS in use
1. Check the Certificates in the vecs on the PSC and VCSA

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \

done;

Export the Certificates not in use form the TRUSTED_ROOTS on the PSC

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"

Unpublish the Certificates from the vmdir on the PSC

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password>

Use the Alias from the unused Certificates to delete the CRL on the PSC

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"

Force a vecs sync on all nodes

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Re: Cleanup old trusted root certificates from PSC

mfirth — Fri, 19 Apr 2019 13:43:19 GMT

If the only interesting store is TRUSTED_ROOTS, wouldn't it be easier to just display that, rather than all the stores in your second step?

There's also a typo in the "grep" line, where you have two "-ie" arguments together, and then two parameters together, rather than alternating.

So to just show the TRUSTED_ROOTS store, and with the grep fixes, I used:

STORE="TRUSTED_ROOTS" ; echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

(the "echo" is obviously not that useful any more)

Also, is it possible to get the system to prompt for the password in the "unpublish" command, rather than having to include it in clear text on the command line?

Re: Cleanup old trusted root certificates from PSC

BrianCunnie — Thu, 03 Nov 2022 00:14:14 GMT

Thanks so much! I had to tweak your for-loop to get it to work on vCenter 8:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | egrep -i "Alias|Subject:|Issuer:"; done