Newsletter

    Subscribe our newsletter

    Get new infrastructure guides, comparison reports, and migration notes in your inbox.

    Infrastructure notes, guides, and new tools. Unsubscribe anytime.

    Back to Blog
    VMware
    vCenter
    Certificates
    Security

    The Invisible Expired Certificate in vCenter - And Why You Can't See It in Certificate Management

    February 18, 2026
    4 min read read

    The “Invisible” Expired Certificate in vCenter — And Why You Can’t See It in Certificate Management

    You’re getting this alert in vCenter:

    Certificate “OU=mID-…, CN=data-encipherment” from “data-encipherment” expires on 2023-09-22 But it’s not visible in Certificate Management — and everything there shows as valid

    That’s actually a big clue.

    This is almost certainly not one of the standard Machine SSL or Solution User certificates you manage in the UI.

    It’s a VMware internal data-encipherment certificate stored inside VECS (VMware Endpoint Certificate Store).

    That’s why you don’t see it in:

    • Administration → Certificate Management
    • Machine SSL
    • Solution Users

    It lives somewhere else.


    What “data-encipherment” Usually Means

    That CN is typically associated with:

    • vSphere VM encryption
    • vSAN encryption
    • KMS integration
    • Internal encryption services
    • vCenter internal trust components

    These certs are often:

    • Automatically generated
    • Not user-facing
    • Stored in VECS stores like DATA_ENCIPHERMENT

    And sometimes:

    • They expire
    • Get replaced
    • But the old one lingers and triggers alarms

    Classic vCenter behavior.


    Step 1: SSH Into the VCSA

    ssh root@your-vcenter
    

    Enable Bash:

    shell
    

    Step 2: List All VECS Stores

    /usr/lib/vmware-vmafd/bin/vecs-cli store list
    

    You’re looking for something like:

    • MACHINE_SSL_CERT
    • TRUSTED_ROOTS
    • data-encipherment
    • DATA_ENCIPHERMENT

    If you see a store named data-encipherment or similar, that’s your target.


    Step 3: List Certificates in That Store

    Example:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text
    

    That should show:

    • Alias
    • Not After date
    • Subject

    Find the expired one matching:

    CN=data-encipherment
    

    Step 4: Remove the Expired Certificate

    If it’s clearly expired and not the active one:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store DATA_ENCIPHERMENT --alias <alias_name>
    

    Be careful:

    • Do NOT delete the currently valid cert
    • Only delete the expired duplicate

    Step 5: Restart Certificate Services

    After cleanup:

    service-control --restart vmcad
    service-control --restart vpxd
    

    Or if you prefer:

    service-control --stop --all
    service-control --start --all
    

    Why It Doesn’t Show in the UI

    The Certificate Management UI only shows:

    • Machine SSL
    • Solution Users
    • Trusted Roots

    It does NOT show:

    • Internal encryption stores
    • Some legacy stores
    • Certain VECS entries

    That’s why it feels invisible.


    Important: Before Deleting

    If you are using:

    • vSphere VM Encryption
    • vSAN Encryption
    • External KMS

    Double-check with:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text
    

    Make sure:

    • There is a newer valid cert present
    • You are not deleting the only cert in that store

    If you only see one expired cert and no replacement, you may need to regenerate instead of delete.


    If You Want to Be Extra Safe

    Take a VECS backup first:

    mkdir /root/vecs_backup
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text > /root/vecs_backup/data_enc.txt
    

    Or even snapshot the VCSA before making changes.


    90% Likely Scenario

    What usually happened:

    1. vCenter auto-renewed the encryption cert
    2. The old one expired
    3. The expired entry didn’t auto-clean
    4. Alarm stuck around

    Removing the expired entry clears the alert.