The Invisible Expired Certificate in vCenter - And Why You Can't See It in Certificate Management
The “Invisible” Expired Certificate in vCenter — And Why You Can’t See It in Certificate Management
You’re getting this alert in vCenter:
Certificate “OU=mID-…, CN=data-encipherment” from “data-encipherment” expires on 2023-09-22 But it’s not visible in Certificate Management — and everything there shows as valid
That’s actually a big clue.
This is almost certainly not one of the standard Machine SSL or Solution User certificates you manage in the UI.
It’s a VMware internal data-encipherment certificate stored inside VECS (VMware Endpoint Certificate Store).
That’s why you don’t see it in:
- Administration → Certificate Management
- Machine SSL
- Solution Users
It lives somewhere else.
What “data-encipherment” Usually Means
That CN is typically associated with:
- vSphere VM encryption
- vSAN encryption
- KMS integration
- Internal encryption services
- vCenter internal trust components
These certs are often:
- Automatically generated
- Not user-facing
- Stored in VECS stores like
DATA_ENCIPHERMENT
And sometimes:
- They expire
- Get replaced
- But the old one lingers and triggers alarms
Classic vCenter behavior.
Step 1: SSH Into the VCSA
ssh root@your-vcenter
Enable Bash:
shell
Step 2: List All VECS Stores
/usr/lib/vmware-vmafd/bin/vecs-cli store list
You’re looking for something like:
- MACHINE_SSL_CERT
- TRUSTED_ROOTS
- data-encipherment
- DATA_ENCIPHERMENT
If you see a store named data-encipherment or similar, that’s your target.
Step 3: List Certificates in That Store
Example:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text
That should show:
- Alias
- Not After date
- Subject
Find the expired one matching:
CN=data-encipherment
Step 4: Remove the Expired Certificate
If it’s clearly expired and not the active one:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store DATA_ENCIPHERMENT --alias <alias_name>
Be careful:
- Do NOT delete the currently valid cert
- Only delete the expired duplicate
Step 5: Restart Certificate Services
After cleanup:
service-control --restart vmcad
service-control --restart vpxd
Or if you prefer:
service-control --stop --all
service-control --start --all
Why It Doesn’t Show in the UI
The Certificate Management UI only shows:
- Machine SSL
- Solution Users
- Trusted Roots
It does NOT show:
- Internal encryption stores
- Some legacy stores
- Certain VECS entries
That’s why it feels invisible.
Important: Before Deleting
If you are using:
- vSphere VM Encryption
- vSAN Encryption
- External KMS
Double-check with:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text
Make sure:
- There is a newer valid cert present
- You are not deleting the only cert in that store
If you only see one expired cert and no replacement, you may need to regenerate instead of delete.
If You Want to Be Extra Safe
Take a VECS backup first:
mkdir /root/vecs_backup
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text > /root/vecs_backup/data_enc.txt
Or even snapshot the VCSA before making changes.
90% Likely Scenario
What usually happened:
- vCenter auto-renewed the encryption cert
- The old one expired
- The expired entry didn’t auto-clean
- Alarm stuck around
Removing the expired entry clears the alert.