Unpublish a Trusted Root Certificate

Share on:

I just went through my notes, and thought that this might be usefull:

  1. Backup the PSC and the vCenter Server
  2. Get the list of the current TRUSTED_ROOTS in use a. Check the Certificates in the vecs on the PSC and VCSA
1for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;\
2  /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie -ie "Alias" "Subject" -ie "Issuer"; \
3
4done;
  1. Export the Certificates not in use form the TRUSTED_ROOTS on the PSC
1/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias "alias from the vecs entry" --output /tmp/"filename"
  1. Unpublish the Certificates from the vmdir on the PSC
1/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert <file> --login <admin_user_id> --password <admin_password>
  1. Use the Alias from the unused Certificates to delete the CRL on the PSC
1/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias "alias from the vecs entry"
  1. Force a vecs sync on all nodes
1/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Please be double check the command reference for the dir-cli and check the parameters for the unpublish.