Recently while troubleshooting some SSL certificate issues on VCSA, I ran across the vecs-cli tool. It has the option to manipulate the certificate store used by vCenter.
To export all certificates and keys from all stores into individual files under a new certs/ directory:
mkdir certs /usr/lib/vmware-vmafd/bin/vecs-cli store list | while read STORE ; do mkdir -p certs/${STORE} /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE | awk '/^Alias/{print $3}' | while read ALIAS ; do /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store $STORE --alias $ALIAS --output certs/${STORE}/${ALIAS}.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store $STORE --alias $ALIAS --output certs/${STORE}/${ALIAS}.key done done
You may see some usage errors for some certificates – typically in the TRUSTED_ROOTS and TRUSTED_ROOT_CRLS stores – as these do not have a private key to export.
Then, to identify which certificate is which, you can do things like:
ls -1 certs/*/*crt | while read F ; do echo "======== $F:" openssl x509 -noout -subject -fingerprint -issuer -in $F done
You may see errors about files in certs/TRUSTED_ROOT_CRLS/ – these are actually Certificate Revocation Lists, not certificates, so this is expected.
References: