vCenter

 View Only
  • 1.  Cleanup old trusted root certificates from PSC

    Posted Dec 06, 2017 10:20 PM

    I have a customer that has had to reset their certificates a few times for unknown reasons using the certificate-manager utility. The problem is the PSC certificate manager web interface and the zip file to install them on users PC contain all the old unused ones still.

    Is it possible to clean this up? When you click delete in the PSC web interface they just come right back.



  • 2.  RE: Cleanup old trusted root certificates from PSC

    Posted Jan 02, 2018 07:38 AM


  • 3.  RE: Cleanup old trusted root certificates from PSC

    Posted Mar 09, 2018 04:33 PM

    Hi,

    That didn't help. I am looking for a much simple solution. I used webui and vecs-cli to delete old certs from trusted store but unable to. The certs come back as soon as you delete them. Please help.

    Regards,

    Farooq Ahmed



  • 4.  RE: Cleanup old trusted root certificates from PSC

    Posted Mar 09, 2018 04:34 PM

    Farooq Ahmed

    I have the same problem!



  • 5.  RE: Cleanup old trusted root certificates from PSC

    Posted Mar 09, 2018 10:23 PM

    Did u manage to resolve the issue??



  • 6.  RE: Cleanup old trusted root certificates from PSC

    Posted Mar 12, 2018 02:14 AM

    I rebuilt the vCenter, not because of this problem, but for other reasons.

    I still would like to know how to clean the certs up in case I run into this in the future though!



  • 7.  RE: Cleanup old trusted root certificates from PSC

    Posted Mar 14, 2018 12:09 AM

    VMware Knowledge Base

    Kb to cleanup trusted root store certificates . Please be careful and take certificates copied on different locations for safety precautions..

    Thanks,

    MS



  • 8.  RE: Cleanup old trusted root certificates from PSC

    Posted Apr 04, 2019 07:13 PM

    I tried all of the steps listed to no avail. Finally I opened a case with VMware and they walked me through using the certool in order to export the certificates, then run a script that revokes all the expired certificates. This is not officially supported by VMware yet, so try at your own risk. Tune in Error: Revoke expired certificates from VMware VCSA with Embedded PSC



  • 9.  RE: Cleanup old trusted root certificates from PSC

    Posted Apr 05, 2019 11:01 AM

    To remove the old Certificates from the Trusted Root you may want to follow the next steps:

    1. Backup the PSC and the vCenter Server
    2. Get the list of the current TRUSTED_ROOTS in use
      1. Check the Certificates in the vecs on the PSC and VCSA

    for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\

      /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \

    done;

    1. Export the Certificates not in use form the TRUSTED_ROOTS on the PSC

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"

    1. Unpublish the Certificates from the vmdir on the PSC

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password>

    1. Use the Alias from the unused Certificates to delete the CRL on the PSC

    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"

    1. Force a vecs sync on all nodes

    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh



  • 10.  RE: Cleanup old trusted root certificates from PSC

    Posted Apr 19, 2019 01:43 PM

    If the only interesting store is TRUSTED_ROOTS, wouldn't it be easier to just display that, rather than all the stores in your second step?

    There's also a typo in the "grep" line, where you have two "-ie" arguments together, and then two parameters together, rather than alternating.

    So to just show the TRUSTED_ROOTS store, and with the grep fixes, I used:

    STORE="TRUSTED_ROOTS" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

    (the "echo" is obviously not that useful any more)

    Also, is it possible to get the system to prompt for the password in the "unpublish" command, rather than having to include it in clear text on the command line?



  • 11.  RE: Cleanup old trusted root certificates from PSC

    Posted Nov 03, 2022 12:14 AM

    Thanks so much! I had to tweak your for-loop to get it to work on vCenter 8:

    for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do
      echo "[*] Store :" $store;
      /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | egrep -i "Alias|Subject:|Issuer:";
    done