I have a customer that has had to reset their certificates a few times for unknown reasons using the certificate-manager utility. The problem is the PSC certificate manager web interface and the zip file to install them on users PC contain all the old unused ones still.
Is it possible to clean this up? When you click delete in the PSC web interface they just come right back.
Managing Certificates with the Platform Services Controller Web Interface and Reset All Certificates might be of help to you
Hi,
That didn't help. I am looking for a much simple solution. I used webui and vecs-cli to delete old certs from trusted store but unable to. The certs come back as soon as you delete them. Please help.
Regards,
Farooq Ahmed
Farooq Ahmed
I have the same problem!
Did u manage to resolve the issue??
I rebuilt the vCenter, not because of this problem, but for other reasons.
I still would like to know how to clean the certs up in case I run into this in the future though!
Kb to cleanup trusted root store certificates . Please be careful and take certificates copied on different locations for safety precautions..
Thanks,
MS
I tried all of the steps listed to no avail. Finally I opened a case with VMware and they walked me through using the certool in order to export the certificates, then run a script that revokes all the expired certificates. This is not officially supported by VMware yet, so try at your own risk. Tune in Error: Revoke expired certificates from VMware VCSA with Embedded PSC
To remove the old Certificates from the Trusted Root you may want to follow the next steps:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \
done;
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password> |
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
If the only interesting store is TRUSTED_ROOTS, wouldn't it be easier to just display that, rather than all the stores in your second step?
There's also a typo in the "grep" line, where you have two "-ie" arguments together, and then two parameters together, rather than alternating.
So to just show the TRUSTED_ROOTS store, and with the grep fixes, I used:
STORE="TRUSTED_ROOTS" ; echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"
(the "echo" is obviously not that useful any more)
Also, is it possible to get the system to prompt for the password in the "unpublish" command, rather than having to include it in clear text on the command line?
Thanks so much! I had to tweak your for-loop to get it to work on vCenter 8:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do
echo "[*] Store :" $store;
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | egrep -i "Alias|Subject:|Issuer:";
done