The Invisible Expired Certificate in vCenter - And Why You Can't See It in Certificate Management

**The “Invisible” Expired Certificate in vCenter — And Why You Can’t See It in Certificate Management** You’re getting this alert in vCenter: > Certificate “OU=mID-…, CN=data-encipherment” from “data-encipherment” expires on 2023-09-22 > But it’s not visible in Certificate Management — and everything there shows as valid That’s actually a big clue. This is almost certainly **not** one of the standard Machine SSL or Solution User certificates you manage in the UI. It’s a **VMware internal data-encipherment certificate** stored inside VECS (VMware Endpoint Certificate Store). That’s why you don’t see it in: - Administration → Certificate Management - Machine SSL - Solution Users It lives somewhere else. --- # What “data-encipherment” Usually Means That CN is typically associated with: - vSphere VM encryption - vSAN encryption - KMS integration - Internal encryption services - vCenter internal trust components These certs are often: - Automatically generated - Not user-facing - Stored in VECS stores like `DATA_ENCIPHERMENT` And sometimes: - They expire - Get replaced - But the old one lingers and triggers alarms Classic vCenter behavior. --- # Step 1: SSH Into the VCSA ``` ssh root@your-vcenter ``` Enable Bash: ``` shell ``` --- # Step 2: List All VECS Stores ``` /usr/lib/vmware-vmafd/bin/vecs-cli store list ``` You’re looking for something like: - MACHINE_SSL_CERT - TRUSTED_ROOTS - data-encipherment - DATA_ENCIPHERMENT If you see a store named `data-encipherment` or similar, that’s your target. --- # Step 3: List Certificates in That Store Example: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text ``` That should show: - Alias - Not After date - Subject Find the expired one matching: ``` CN=data-encipherment ``` --- # Step 4: Remove the Expired Certificate If it’s clearly expired and not the active one: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store DATA_ENCIPHERMENT --alias <alias_name> ``` Be careful: - Do NOT delete the currently valid cert - Only delete the expired duplicate --- # Step 5: Restart Certificate Services After cleanup: ``` service-control --restart vmcad service-control --restart vpxd ``` Or if you prefer: ``` service-control --stop --all service-control --start --all ``` --- # Why It Doesn’t Show in the UI The Certificate Management UI only shows: - Machine SSL - Solution Users - Trusted Roots It does NOT show: - Internal encryption stores - Some legacy stores - Certain VECS entries That’s why it feels invisible. --- # Important: Before Deleting If you are using: - vSphere VM Encryption - vSAN Encryption - External KMS Double-check with: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text ``` Make sure: - There is a newer valid cert present - You are not deleting the only cert in that store If you only see one expired cert and no replacement, you may need to regenerate instead of delete. --- # If You Want to Be Extra Safe Take a VECS backup first: ``` mkdir /root/vecs_backup /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text > /root/vecs_backup/data_enc.txt ``` Or even snapshot the VCSA before making changes. --- # 90% Likely Scenario What usually happened: 1. vCenter auto-renewed the encryption cert 2. The old one expired 3. The expired entry didn’t auto-clean 4. Alarm stuck around Removing the expired entry clears the alert. ---