Our domain controllers are setup for auto-enrollment for certificates and they recently rolled over.  That said, one of my VCSA's is configured with an LDAPS identity source that references a cert that is no longer valid... which prevents me from logging in with domain creds.  You'd think I could just add the new certs, but I'm unable to save the config because the expired certs still exist.  Using vecs-cli, I could not locate the certs in question.  They don't seem to be added to any stores, which I found odd.  I can see the certs when I run sso-config.sh, but I have no option to replace or delete them.  I haven't tried the nuclear option of deleting the identity source but I'd really rather not do that.  Who knows what that will do to permissions, roles, etc. 

Strangely, I have another VCSA that's setup for federation through ADFS, and even though it still relies on LDAPS for looking up users, it's working just fine.  I'd imagine it still has the old cert in place as well... so I'm a little confused there.

Have any of you run into this?  Is there a way to remove the expired certs from the identity source so I can add new ones and save the config?