PowerCLI

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

Amazing as always LucD. Quick question though,

Why is this required (or preferable) :

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))

To just this?

$cred = Get-Credential

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

That method was introduced in .Net 5, and it is in .Net 8.
The method is there, but there seem to be 2 entries.
Check with

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

I'm not sure how to fix this.
From the comments in William's post you don't seem to be the only one having the issue.

The suggestion to use PSv7 and VSC seems to work for me.
Can you try that as well.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

However, I tried using PSv7 and it also worked for me, thanks! It looks like my next problem is the same as someone else in the comments for Williams post, I'd like to run this with a read-only account if possible. I'll work on that next.
Thanks LucD!

That method was introduced in .Net 5, and it is in .Net 8.
The method is there, but there seem to be 2 entries.
Check with

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

I'm not sure how to fix this.
From the comments in William's post you don't seem to be the only one having the issue.

The suggestion to use PSv7 and VSC seems to work for me.
Can you try that as well.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

You did initialise the $xCert2Type object first?

$xCert2Type = [System.Security.Cryptography.X509Certificates.X509Certificate2]

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

However, I tried using PSv7 and it also worked for me, thanks! It looks like my next problem is the same as someone else in the comments for Williams post, I'd like to run this with a read-only account if possible. I'll work on that next.
Thanks LucD!

That method was introduced in .Net 5, and it is in .Net 8.
The method is there, but there seem to be 2 entries.
Check with

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

I'm not sure how to fix this.
From the comments in William's post you don't seem to be the only one having the issue.

The suggestion to use PSv7 and VSC seems to work for me.
Can you try that as well.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

No I didn't after running this first 

$xCert2Type = [System.Security.Cryptography.X509Certificates.X509Certificate2]

then this:

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

No error, but it doesn't return any results.

You did initialise the $xCert2Type object first?

$xCert2Type = [System.Security.Cryptography.X509Certificates.X509Certificate2]

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

However, I tried using PSv7 and it also worked for me, thanks! It looks like my next problem is the same as someone else in the comments for Williams post, I'd like to run this with a read-only account if possible. I'll work on that next.
Thanks LucD!

That method was introduced in .Net 5, and it is in .Net 8.
The method is there, but there seem to be 2 entries.
Check with

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

I'm not sure how to fix this.
From the comments in William's post you don't seem to be the only one having the issue.

The suggestion to use PSv7 and VSC seems to work for me.
Can you try that as well.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.

Under PSv7, not PSv5.*?

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

No I didn't after running this first 

$xCert2Type = [System.Security.Cryptography.X509Certificates.X509Certificate2]

then this:

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

No error, but it doesn't return any results.

You did initialise the $xCert2Type object first?

$xCert2Type = [System.Security.Cryptography.X509Certificates.X509Certificate2]

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

However, I tried using PSv7 and it also worked for me, thanks! It looks like my next problem is the same as someone else in the comments for Williams post, I'd like to run this with a read-only account if possible. I'll work on that next.
Thanks LucD!

That method was introduced in .Net 5, and it is in .Net 8.
The method is there, but there seem to be 2 entries.
Check with

$xCert2Type.GetMethods() | where{$_.Name -eq 'CreateFromPem'}

I'm not sure how to fix this.
From the comments in William's post you don't seem to be the only one having the issue.

The suggestion to use PSv7 and VSC seems to work for me.
Can you try that as well.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

When running reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}


I get:

    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    2.0.50727.4927
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.30729.4926
    Version    REG_SZ    3.0.4506.4926
    ProductVersion    REG_SZ    3.0.6920.4902
    Version    REG_SZ    3.0.6920.4902
    FileVersion    REG_SZ    3.0.4203.4926
    ProductVersion    REG_SZ    3.0.0.0
    Version    REG_SZ    3.5.30729.4926
    Version    REG_SZ    3.5.30729.4926
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.8.09032
    Version    REG_SZ    4.0.0.0

So I went ahead and installed ASP.NET framework 9 from here:

Download ASP.NET Core 9.0 Runtime (v9.0.0-rc.2) - Windows x64 Installer

However this has had no effect. I also installed .NET8 from here:

Download .NET Framework | Free official downloads

Still didn't make a difference. I have a feeling this is just either not installing the right version of .NET. Is there a difference between ASP.NET and .NET, and in turn do I need .NET 5 specifically and only .NET 5?

I can't seem to find a installer specifically for .NET 5. 

That method is only available since .NET 5.
You can check which .NET version you have installed with

reg query 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s | where{$_ -match 'Version.+REG_SZ'}

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

This looks extremely promising, however when I use it against my test VC's  (both vCenter 8 and vCenter 7) I am getting this error, however it does product two machine certs successfully. I have tried from two different workstations with the same result, so I don't think it's a PowerCLI configuration issue:

Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:55 char:9
+         $cert = $xCert2Type::CreateFromPem($signingCert) -as $xCert2T ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
CreateCertObject : Cannot bind argument to parameter 'Cert' because it is null.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:60 char:41
+             $c = CreateCertObject -Cert $cert -Type "VMCA_ROOT"
+                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [CreateCertObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,CreateCertObject
 
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:96 char:9
+         $rootCert = $xCert2Type::CreateFromPem($rootChain) -as $xCert ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
 
Exception calling "Parse" with "2" argument(s): "The value could not be parsed."
At \\tsclient\C\Users\dbutc\Dropbox\VMware\PowerCLI\connect-viserver_viserver service status\Get-VCSACertificate.ps1:98 char:9
+         $tmp = [pscustomobject] [ordered]@{
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

Type                          : MACHINE
CertificateCommonName         : 192.168.0.14
CertificateIssuedBy           : US
CertificateValidFrom          : 2024-10-24 12:26:43 PM
CertificateValidUntil         : 2026-10-25 12:26:43 AM
CertificateSignatureAlgorithm : SHA256WITHRSA
CertificateThumbprint         : 415106E528814965A5278B1E05F518E6B1E3DA1E
CertificateOrganization       : 
CertificateOrganizationalUnit : 
CertificateStateProvince      : 
CertificateCountry            : US
IssuerName                    : CA
IssuerOrganization            : localhost
IssuerOrganizationalUnit      : VMware Engineering
IssuerStateProvince           : California
IssuerCountry                 : US
IssuerSerialNumber            : e4a075aa68410484
IssuerVersion                 : 

https://williamlam.com/2023/09/retrieving-vcenter-server-certificate-machine-vmca-root-sts-trusted-root-details-using-the-vsphere-api.html

You can use SSH, and you can automate that with the Posh-SSH module.
See my Use Posh-SSH instead of PuTTY for an example.

You can automate it all with something like this

$user = 'user'$pswd = 'VMware1!'$cred = New-Object -Type PSCredential -ArgumentList ($user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force))$cmd = @'for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;'@Import-Csv -Path '.\vcenters.csv' -PipleinVariable row |Foreach-Object -Process {   $session = New-SSHSession -ComputerName $row.vcName -Credential $cred –AcceptKey   Invoke-SSHCommand -SSHSession $session -Command $cmd | Select -ExpandProperty Output   Remove-SSHSession -SSHSession $session | Out-Null }

Another option is to use the script William provided in Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

------------------------------

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Original Message:
Sent: Oct 18, 2024 10:08 AM
From: dbutch1976
Subject: Check for expiring solution certificates for many vCenters

Hello,

We recently had an issue with expiring solution certificates which is a problem which prevented us from logging in via the web interface, VAMI, and broke the backups. I was able to resolve the issue using this KB: Verify and resolve expired vCenter Server certificates using command line interface. (broadcom.com)

In order to prevent this from happening again I would like to check all of our vCenters for expiring certificates. The way I check each vCenter individually is to log into it via SSH, then run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

This will display the information for all certificates including the solution certificates with their expiry dates.

Is there a way to do this by connecting to the vcenter using connect-viserver in PowerCLI rather than SSH?

If SSH is the only option, can I import a list of vCenters from csv and then output the command above to .csv rather than doing it manually dozens of times?

Thanks.