VMware Cloud Community
wreedMH
Hot Shot
Hot Shot

Cleanup old trusted root certificates from PSC

I have a customer that has had to reset their certificates a few times for unknown reasons using the certificate-manager utility. The problem is the PSC certificate manager web interface and the zip file to install them on users PC contain all the old unused ones still.

Is it possible to clean this up? When you click delete in the PSC web interface they just come right back.

10 Replies
AishR
VMware Employee
VMware Employee

Reply
0 Kudos
fm2ahmed
Contributor
Contributor

Hi,

That didn't help. I am looking for a much simple solution. I used webui and vecs-cli to delete old certs from trusted store but unable to. The certs come back as soon as you delete them. Please help.

Regards,

Farooq Ahmed

wreedMH
Hot Shot
Hot Shot

Farooq Ahmed

I have the same problem!

Reply
0 Kudos
fm2ahmed
Contributor
Contributor

Did u manage to resolve the issue??

Reply
0 Kudos
wreedMH
Hot Shot
Hot Shot

I rebuilt the vCenter, not because of this problem, but for other reasons.

I still would like to know how to clean the certs up in case I run into this in the future though!

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

VMware Knowledge Base

Kb to cleanup trusted root store certificates . Please be careful and take certificates copied on different locations for safety precautions..

Thanks,

MS

Reply
0 Kudos
JesusRulesMe2
Contributor
Contributor

I tried all of the steps listed to no avail. Finally I opened a case with VMware and they walked me through using the certool in order to export the certificates, then run a script that revokes all the expired certificates. This is not officially supported by VMware yet, so try at your own risk. Tune in Error: Revoke expired certificates from VMware VCSA with Embedded PSC

Reply
0 Kudos
BenediktFrenzel
VMware Employee
VMware Employee

To remove the old Certificates from the Trusted Root you may want to follow the next steps:

  1. Backup the PSC and the vCenter Server
  2. Get the list of the current TRUSTED_ROOTS in use
    1. Check the Certificates in the vecs on the PSC and VCSA

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\

  /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \

done;

  1. Export the Certificates not in use form the TRUSTED_ROOTS on the PSC

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"

  1. Unpublish the Certificates from the vmdir on the PSC

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password>

  1. Use the Alias from the unused Certificates to delete the CRL on the PSC

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"

  1. Force a vecs sync on all nodes

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

mfirth
Enthusiast
Enthusiast

If the only interesting store is TRUSTED_ROOTS, wouldn't it be easier to just display that, rather than all the stores in your second step?

There's also a typo in the "grep" line, where you have two "-ie" arguments together, and then two parameters together, rather than alternating.

So to just show the TRUSTED_ROOTS store, and with the grep fixes, I used:

STORE="TRUSTED_ROOTS" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

(the "echo" is obviously not that useful any more)

Also, is it possible to get the system to prompt for the password in the "unpublish" command, rather than having to include it in clear text on the command line?

BrianCunnie
Enthusiast
Enthusiast

Thanks so much! I had to tweak your for-loop to get it to work on vCenter 8:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do
  echo "[*] Store :" $store;
  /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | egrep -i "Alias|Subject:|Issuer:";
done