PowerCLI

Remove expired root certificates from a vCenter Server the easy way

I see a lot of vCenter Servers that have expired root certificates. In the vCenter Server Appliance Administration section under Certificate Management, you can see the expired certificates.

Cleaning up expired root certificates from the vCenter Server can be done by using the “vecs-cli” command on the vCenter Server Appliance (In the vSphere Client this is not possible). This involves multiple steps (VMware KB). An easy way to clean up expired root certificates is by using PowerCLI and following the steps below:

  • Make sure that PowerCLI is installed. If not use the following command in PowerShell to install PowerCLI:
Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber
  • Connect to the vCenter Server
Connect-VIServer "VCENTER-FQDN"
  • List the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) }
  • Remove the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate

With the latest PowerCLI oneliner, all the expired root certificates are removed from the VCSA. This is less complex than using the “vecs-cli” command.

PowerCLI cannot be installed or updated because the authenticode signature of the file error

On a new Windows Server 2022 VM I tried to install a fresh copy of VMware.PowerCLI (13.0.0) with the following PowerShell command:

Install-Module VMware.PowerCLI -Scope CurrentUser

The following error occurred:

PackageManagement\Install-Package : The module ‘VMware.VimAutomation.License’ cannot be installed or updated because the authenticode signature of the file ‘VMware.VimAutomation.License.cat’ is not valid. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21 + … $null = PackageManagement\Install-Package @PSBoundParameters + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Microsoft.Power….InstallPackage:InstallPackage) [Install-Package], Exception + FullyQualifiedErrorId : InvalidAuthenticodeSignature,ValidateAndGet-AuthenticodeSignature,Microsoft.PowerShell.P ackageManagement.Cmdlets.InstallPackage

 

 

Using the -Force and -SkipPublisherCheck options fixed the error. The command to execute is:

Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber

For existing installations, you can first remove PowerCLI and then install PowerCLI again:

Get-InstalledModule VMware.PowerCLI | Uninstall-Module -Force
Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber

After the PowerCLI modules installation finishes you can run the following command to check what version is installed:

Get-InstalledModule VMware.PowerCLI | Select Name, Version

Certificate error

When trying to connect to the vCenter Server you’ve got the following error:

Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you’d like to connect once or to add a permanent exception for this server.

I had no trusted certificate installed. The following command ignores invalid certificates and suppresses the VMware Customer Experience Improvement Program:

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false -ParticipateInCeip $false

Now I was able to connect to vCenter Server with PowerCLI.

 

Get the highest concurrent license usage from a VMware Horizon environment

In some managed VMware Horizon environments, I wanted to know the highest concurrent users per month. This information can be found in the Horizon Administrator Console under Settings -> Product Licensing and Usage -> Usage.

Using the VMware Horizon Administrator console is a manual task. I wanted to automate this. To automated this use VMware PowerCLI which supports access to the View API.

To automate retrieve thehighest concurrent users per month perform the following steps:

  • Setup the Horizon PowerCLI module, link
  • The following PowerCLI code display the highest concurrent license usage
Import-Module -Name VMware.VimAutomation.HorizonView
Connect-HVServer -Server <server> -Domain <domain name>

# Clear screen
Clear

# View API
$horapi = $Global:DefaultHVServers.ExtensionData

# Get the highest concurrent licensing usage
$getusage = $horapi.UsageStatistics.UsageStatistics_GetLicensingCounters()
$totalccu = $getusage.HighestUsage.TotalConcurrentConnections
Write-Output " "
Write-Output "The highest concurrent usage count is: $totalccu"

  • To reset the highest concurrent license usage use the following code
# Reset the highest license usage
$horapi.UsageStatistics.UsageStatistics_ResetHighestUsageCount()
$totalccu = $getusage.HighestUsage.TotalConcurrentConnections
Write-Output "The highest usage count is: $totalccu"

By using this code you can create a scheduled task to get the highest concurrent license usage at the end of each month and perform a reset after it for example. So you know what is the highest concurrent license usage is that is connected to the VMware Horizon environment.