Once you have an issue with signing in to your environment or some services cannot start, the more likely root cause is the SSL cert expiration. vCenter has a number of certificates and in this article, I will show you how to determine which certificate expired.
The first certificate to check is Sign-on Token Signing (STS). I wrote a step-by-step article on how to deal with STS certificate: -> How to check if STS certificate is about to expire or expired already.
Next, let’s check the vCenter appliance certificate by running this command:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
For vCenter Windows Run the following command from the vCenter VM console, RDP session, or physical device using PowerShell:
$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
From the list of certificates, you can see which one is expired:
For the ESXi certificate expiration, you need:
- SSH to ESXi
- Run this command:
openssl x509 -noout -in /etc/vmware/ssl/rui.crt -enddate
Please like and share to spread the knowledge in the community.
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Subscribe to my channel : https://bit.ly/3vY16CT