To remove the old Certificates from the Trusted Root you may want to follow the next steps:
- Backup the PSC and the vCenter Server
- Get the list of the current TRUSTED_ROOTS in use
- Check the Certificates in the vecs on the PSC and VCSA
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \
done;
- Export the Certificates not in use form the TRUSTED_ROOTS on the PSC
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"
- Unpublish the Certificates from the vmdir on the PSC
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password> |
- Use the Alias from the unused Certificates to delete the CRL on the PSC
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"
- Force a vecs sync on all nodes
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
.png "BenediktFrenzel"){kind=avatar}
