Remove expired root certificates from a vCenter Server the easy way

I see a lot of vCenter Servers that have expired root certificates. In the vCenter Server Appliance Administration section under Certificate Management, you can see the expired certificates.

Cleaning up expired root certificates from the vCenter Server can be done by using the “vecs-cli” command on the vCenter Server Appliance (In the vSphere Client this is not possible). This involves multiple steps (VMware KB). An easy way to clean up expired root certificates is by using PowerCLI and following the steps below:

  • Make sure that PowerCLI is installed. If not use the following command in PowerShell to install PowerCLI:
Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber
  • Connect to the vCenter Server
Connect-VIServer "VCENTER-FQDN"
  • List the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) }
  • Remove the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate

With the latest PowerCLI oneliner, all the expired root certificates are removed from the VCSA. This is less complex than using the “vecs-cli” command.

Firefox does not trusts vCenter signed CA certificates

For a vCenter Server environment I replaced the default SSL certificates with CA signed SSL certificates. The Platform Service Controller (PSC) is configured as VMCA subordinate CA. When opening the vSphere Web/HTML5 Client, Firefox displays the following warning: Your connection is not secure.

This is because Firefox does not trust root certificates in the Windows certificate store. Since Firefox 49 a new option is included which allows Firefox to trust root certificates. This option is not enabled by default.

The following steps illustrate how to configure Firefox to use the Windows certificate store:

  • Open Firefox
  • In the address bar type: about:config
  • Accept the warning
  • Navigate to Preference name: security.enterprise_roots.enabled 
  • Set the value to:  true

Firefox now trust the root certificates in the Windows certificate store.


Create a VMware Horizon View self signed certificate with makecert

With the command line Windows utility “makecert.exe” it is possible to create quickly a self-signed (private) certificate that can be used with VMware Horizon View. Makecert is part of the Windows Software Deployment Kit (SDK)for Windows 7 and 8.  Below are the steps outlined to create a self-signed certificate using makecert.

  • The SDK can be downloaded here, link. Install the SDK and choose as feature to install “Windows Software Deployment”.
  • After the installation copy the makecert.* utility to the VMware View Connection server
  • Open a elevated command prompt
  • Create the self-signed root certificate, command: makecert -pe -n “CN=ViewRootCA” -ss root -sr LocalMachine -sky signature -r “ViewRootCA.cer”


  • Open certlm.msc and go to “Trusted Root Certification Authorities” and verify if the root certificate generated with makecert.exe exist. The root certificate can copied to all the servers and View Clients. If the clients are domain joined a Group Policy can be used to distribute the root certificate. More information can be found here, link.


  • Create a new self-signed certificate, command: makecert -pe -n “CN=viewcon02.beerens.local,cn=viewcon02” -ss my -sr LocalMachine -sky exchange -in “ViewRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 viewcon02.cer


  • The certificate is added to the personal store of the local computer


  • Change the Friendly name of the newly created self-signed certificate to: vdm
  • Remove the already existing self-signed certificate


  • Restart the VMware View Connection Server service
  • In the System Health dashboard the Connection Server system health gets green