Note:There might be certain situations were there are still older entries in TRUSTED_ROOTS that do not contain the certificate option "
X509v3 Subject Key Identifier".
The best way to deal with this kind of scenario is to compare the CN(id) information of the other entries provided by dir-cli with the Subject Key Identifiers for those entries in TRUSTED_ROOTS which actually have them.
Once these have identified, you can compare the subject information for the remaining CN(id)s with the "
Subject" option of the certificate in the VECS TRUSTED_ROOTS store to identify which one matches the certificate you want to remove from the store.
VMware Skyline Health Diagnostics for vSphere - FAQRefer to KB
CertificateStatusAlarm - There are certificates that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server for more information on removing expired certificates from other certificate stores.
Impact/Risks:
WARNING:
- Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable.
- Be absolutely certain that the Certificate you are removing is the correct Certificate to remove.
- Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.
Mandatory precaution:
- Ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off.
- Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.