This article introduces how to create a new data-encipherment cert and upload it to VECS by command line.

vCenter UI Shows Alarm "Certificate Status". 
Check the alarm description, it shows that the Data-encipherment Cert expired.

The validity period of data-encipherment cert is 10 years, it could be renewed automatically during vCenter server upgrading. Customers could also extend the validity period by following this KB.

The validity of the data-encipherment cert can be checked by below command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --text

This solution is only applicable since the vsphere 8.0

1. SSH to the vCenter server and create a folder named certs in root.
   mkdir /certs

2. Retrieve the data-encipherment key from VECS
   /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output /certs/data-encipherment.key

3. Create a new data-encipherment cert
   /usr/lib/vmware-vmca/bin/certool --server=[vCenterServerFQDN] --genCIScert --dataencipherment --privkey=/certs/data-encipherment.key --cert=/certs/data-encipherment.crt --Name=data-encipherment --FQDN=[vCenterServerFQDN]

4. Delete the old data-encipherment entry in VECS
   /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store data-encipherment --alias data-encipherment

5. Add the new data-encipherment cert into VECS
   /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store data-encipherment --alias data-encipherment --cert /certs/data-encipherment.crt --key /certs/data-encipherment.key

6. Check the data-encipherment cert in VECS, the validity should be expanded.
   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --text

7. Restart vpxd service to load the new cert.

    If there are any Windows Customization Specifications in VCDB, need to
    run "/usr/sbin/vpxd -g" to refresh them. Or when using them to customize a Windows VM,
    the new cert could cause error "The public key in the specification does not match the
    vCenter public key. You have to reenter the password in order to proceed."
    Please restart vpxd as below:

    service-control --stop vpxd
  /usr/sbin/vpxd -g
  service-control --start vpxd

  And if there is no existing Windows Customization Specification, just restart the vpxd service:
    service-control --restart vpxd

This operation needs to restart the vpxd service. So below operations are necessary to back up data.

• Please always take a snapshot of the VCSA prior to proceeding with this method.
• If using Enhanced linked mode ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off.
• They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete.
• Also, take snapshots of the vCenter Systems while powered off.
• Snapshot revert (If required to recover from damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.