An imported certificate will have to be re-issued by following the KB on how to import a CA Signed certificate to VASA.
If the Subject O and OU is not "Pure Storage" and the Issuer is not "VMware Engineering", then this is an imported certificate.Īdditionally, you will not be able to refresh/renew the Certificate from vCenter if the certificate is not issued by VMware Engineering.
Click on the ribbon icon to Refresh the Certificate.
The default VMCA imported certificate is in use if the Subject O and OU is Pure Storage and the Issuer OU is VMware Engineering.
You should check the Subject and Issuer lines in the Certificate information.
The VASA Certificate information can be found on the Certificate Info Tab for the storage Provider.
A Yellow Icon will show in the Certificate Expiry column if the cert expires within 180 days.
Select the Storage Provider that you need to refresh or need to check the certificate source.
In the Configure Tabs sidebar, click on Storage Providers.
From the vCenter Server object click on the Configure Tab.
After logging into the vCenter Server that has the registered Storage Providers with the FlashArray, navigate to the Hosts, VMs, or Storage page and click on the vCenter Server Object.
Here is how you'll be able to renew the Certificate before it expires. The main question that needs to be answered is if the certificate is the default one that VMCA imports when the storage providers are first registered or if the VASA certificate was manually imported by an array admin (this is only possible starting with Purity 5.3.0). If the Storage Provider Certificate is still valid, but is coming close to expiring, then renewing it is easy. VMware has said that a fix will be coming in a forthcoming 7.0 U3 release. Meaning to reset the certificate on the FlashArray and then re-registering the storage providers. The easiest way to approach this will likely be to treat the certificate as if it was expired. There is currently an issue with the vSphere 7.0 U2 ui in that the renew button is always grayed out. The workflows for these events is outlined in this KB. If the storage provider certificate has expired, then the storage providers will have to be removed, the VASA certificate will need to be deleted, a default VASA certificate will need to be created/imported and then the storage providers will need to be re-registered. In the event that the storage provider certificate is about to expire, then the certificate just needs to be renewed and/or refreshed.
Generating and Importing Custom VASA Certificates.
Managing the VASA Certificates with purecert via the CLI.
Additionally, the workflow can differ if the FlashArray is on Purity 5.3.0+ and a custom certificate has been imported to VASA via purecert on the CLI.įor more information about importing custom CA signed certificates and managing the FlashArray VASA certificates with purecert cli see the following KBs: The workflows for managing certificates expiration will differ on two points, whether the FlashArray is running Purity 5.3.0+ or whether the Certificate is about to expire or has expired. Here are the steps to renew the storage provider certificate in both cases. Customers will want to renew the Certificates before they expire, but if they have expired they can still be renewed, but it will take some extra steps. When registering the Flash Array storage providers the certificate is set to expire a year after the initial registration. Pure Storage's Virtual Volumes (vVols) implementation released in December of 2017.