Let’s determine expired SSL certificates in vCenter and ESXi 6.x and 7.x

Once you have an issue with signing in to your environment or some services cannot start, the more likely root cause is the SSL cert expiration. vCenter has a number of certificates and in this article, I will show you how to determine which certificate expired.

The first certificate to check is Sign-on Token Signing (STS). I wrote a step-by-step article on how to deal with STS certificate: -> How to check if STS certificate is about to expire or expired already.

Next, let’s check the vCenter appliance certificate by running this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

For vCenter Windows Run the following command from the vCenter VM console, RDP session, or physical device using PowerShell:

$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
Source: https://kb.vmware.com/s/article/2015600

From the list of certificates, you can see which one is expired:

Source: https://kb.vmware.com/s/article/2015600

For the ESXi certificate expiration, you need:

  • SSH to ESXi
  • Run this command:
openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group: https://bit.ly/3w54tbc

Visit my FB page: https://www.facebook.com/AngrySysOps

Subscribe to my channel : https://bit.ly/3vY16CT

Please leave the comment