Newsletter

    Subscribe our newsletter

    Get new infrastructure guides, comparison reports, and migration notes in your inbox.

    Infrastructure notes, guides, and new tools. Unsubscribe anytime.

    Back to Blog
    VMware
    vCenter
    Certificates
    Security

    The Invisible Expired Certificate in vCenter - And Why You Can't See It in Certificate Management

    February 18, 2026
    4 min read read
    **The “Invisible” Expired Certificate in vCenter — And Why You Can’t See It in Certificate Management** You’re getting this alert in vCenter: > Certificate “OU=mID-…, CN=data-encipherment” from “data-encipherment” expires on 2023-09-22 > But it’s not visible in Certificate Management — and everything there shows as valid That’s actually a big clue. This is almost certainly **not** one of the standard Machine SSL or Solution User certificates you manage in the UI. It’s a **VMware internal data-encipherment certificate** stored inside VECS (VMware Endpoint Certificate Store). That’s why you don’t see it in: - Administration → Certificate Management - Machine SSL - Solution Users It lives somewhere else. --- # What “data-encipherment” Usually Means That CN is typically associated with: - vSphere VM encryption - vSAN encryption - KMS integration - Internal encryption services - vCenter internal trust components These certs are often: - Automatically generated - Not user-facing - Stored in VECS stores like `DATA_ENCIPHERMENT` And sometimes: - They expire - Get replaced - But the old one lingers and triggers alarms Classic vCenter behavior. --- # Step 1: SSH Into the VCSA ``` ssh root@your-vcenter ``` Enable Bash: ``` shell ``` --- # Step 2: List All VECS Stores ``` /usr/lib/vmware-vmafd/bin/vecs-cli store list ``` You’re looking for something like: - MACHINE_SSL_CERT - TRUSTED_ROOTS - data-encipherment - DATA_ENCIPHERMENT If you see a store named `data-encipherment` or similar, that’s your target. --- # Step 3: List Certificates in That Store Example: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text ``` That should show: - Alias - Not After date - Subject Find the expired one matching: ``` CN=data-encipherment ``` --- # Step 4: Remove the Expired Certificate If it’s clearly expired and not the active one: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store DATA_ENCIPHERMENT --alias <alias_name> ``` Be careful: - Do NOT delete the currently valid cert - Only delete the expired duplicate --- # Step 5: Restart Certificate Services After cleanup: ``` service-control --restart vmcad service-control --restart vpxd ``` Or if you prefer: ``` service-control --stop --all service-control --start --all ``` --- # Why It Doesn’t Show in the UI The Certificate Management UI only shows: - Machine SSL - Solution Users - Trusted Roots It does NOT show: - Internal encryption stores - Some legacy stores - Certain VECS entries That’s why it feels invisible. --- # Important: Before Deleting If you are using: - vSphere VM Encryption - vSAN Encryption - External KMS Double-check with: ``` /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text ``` Make sure: - There is a newer valid cert present - You are not deleting the only cert in that store If you only see one expired cert and no replacement, you may need to regenerate instead of delete. --- # If You Want to Be Extra Safe Take a VECS backup first: ``` mkdir /root/vecs_backup /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store DATA_ENCIPHERMENT --text > /root/vecs_backup/data_enc.txt ``` Or even snapshot the VCSA before making changes. --- # 90% Likely Scenario What usually happened: 1. vCenter auto-renewed the encryption cert 2. The old one expired 3. The expired entry didn’t auto-clean 4. Alarm stuck around Removing the expired entry clears the alert. ---