VMware Cloud Community
onkeltom666
Contributor
Contributor
‎12-19-2020 01:56 PM

Removing unused CA Certificates from vCenter Server 7

Hello Community!

I hope you can help me with the following issue: 

In my vCenter Server 7 (7.0.1 U1c Build: 17327586) there are many trusted CA certificates which where created during another issue where I tried to replace all certificates by using the certificate-manager. After I updated the hole PKI, I enrolled quite new certificates and I wanted to remove this "old" ones which are unused now and this seems to be more difficult as I thought.

Even through these CA certificates are not expired I followed this guide and removed all CA certificates which are not used anymore: Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Sto... 

At the beginning it seems it worked as expected, but after I reboot the VCSA and I take a look in the certification administration in vCenter I am not longer able to see any certificates. Instead I get the following error: Error occurred while fetching machine certificates: This method requires authentication.

What did I wrong here? How can I fix that?

Thank you!

0 Kudos
3 Replies
jburen
Expert
Expert
‎12-20-2020 11:18 PM

I am afraid it is not possible to tell you what you did wrong. Certificates can be a real pain in the *** so always create backups/snapshots before you make changes. I don't know if it is possible but maybe you can rebuild vCenter from scratch?

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
onkeltom666
Contributor
Contributor
‎12-21-2020 03:37 AM

Thank you for your reply! 

Of course I have backups of the server and I already restored the vCenter from that successfully. So nothing damaged here 🙂 But I am further interested of removing these old certificates. I already tried to repeat the procedure to get sure I did not any stupid mistakes with the guide. But after that I had the same problem...

0 Kudos
jburen
Expert
Expert
‎12-21-2020 11:38 PM

So maybe one or more certificates you deleted are still being used. Otherwise, you wouldn't get the errors. Personally, I would investigate the possibility to do a reinstall of the VCSA. I always want to be sure that there are no strange issues that might bite you later on.

Consider giving Kudos if you think my response helped you in any way.
0 Kudos