I have a customer that has had to reset their certificates a few times for unknown reasons using the certificate-manager utility. The problem is the PSC certificate manager web interface and the zip file to install them on users PC contain all the old unused ones still.
Is it possible to clean this up? When you click delete in the PSC web interface they just come right back.
That didn't help. I am looking for a much simple solution. I used webui and vecs-cli to delete old certs from trusted store but unable to. The certs come back as soon as you delete them. Please help.
I tried all of the steps listed to no avail. Finally I opened a case with VMware and they walked me through using the certool in order to export the certificates, then run a script that revokes all the expired certificates. This is not officially supported by VMware yet, so try at your own risk. Tune in Error: Revoke expired certificates from VMware VCSA with Embedded PSC
To remove the old Certificates from the Trusted Root you may want to follow the next steps:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password>
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"
If the only interesting store is TRUSTED_ROOTS, wouldn't it be easier to just display that, rather than all the stores in your second step?
There's also a typo in the "grep" line, where you have two "-ie" arguments together, and then two parameters together, rather than alternating.
So to just show the TRUSTED_ROOTS store, and with the grep fixes, I used:
STORE="TRUSTED_ROOTS" ; echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"
(the "echo" is obviously not that useful any more)
Also, is it possible to get the system to prompt for the password in the "unpublish" command, rather than having to include it in clear text on the command line?
Thanks so much! I had to tweak your for-loop to get it to work on vCenter 8:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | egrep -i "Alias|Subject:|Issuer:"; done