VMware vSphere

 View Only

 Find vCSA Certificates NOT USED

Roger Haines's profile image
Roger Haines posted Oct 29, 2024 04:34 PM

I'm following the KB referenced below.  In order to do some housekeeping on TRUSTED ROOT certificates I need to be able to determine which certificates are NOT in use.  Does anyone know how to do this?  

Note: There Could be several Certificates to remove. Any expired and not in use certificates should be removed to avoid certificate related alarms.

Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

Broadcom remove preview
Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS) Resolution To un-publish expired/expiring certificates from TRUSTED_ROOTS VECS Store: List the certificates using vecs-cli. On a vCenter Server Appliance, the path is here: /usr/lib/vmware-vmafd/bin On a Windows vCenter Server, the path is here: C:\Program Files\VMware\vCenter Server\vmafdd Run the following command: Find the Certificate you wish to remove and make a note of the Alias and the X509v3 Subject Key Identifier.
View this on Broadcom >
Andrea Consalvi's profile image
Andrea Consalvi posted Mar 17, 2025 07:07 AM

Hi Roger,

To check which certificates are actually in use, you can list them using vecs-cli on your vCenter Server Appliance (VCSA). Try this:









/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text 

This will show all the certificates currently stored. Look for ones that are expired or don’t seem to be associated with any active services.

If you want to cross-check if a certificate is still in use, you can also check the machine SSL certificate in vCenter:









/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT 

Compare the fingerprint with the ones in TRUSTED_ROOTS. If a cert is not in use and expired, it’s safe to remove it using:









/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias <alias_name> 

Make sure to note down the alias of the certificate before deleting it.