Skip to main content
Pure1 Support Portal



purecert, purecert-construct, purecert-list, purecert-setattr — manages FlashArray SSL certificate


purecert construct [--common-name COMMON_NAME] [--country COUNTRY] {--certificate-signing-request} [--email EMAIL] [--locality LOCALITY] [--organization ORG] [--organizational-unit ORG_UNIT] [--state STATE]

purecert list [ --certificate | --intermediate-certificate ] [ --cli | --csv | --nvp ] [--notitle] [--page] [--raw]

purecert setattr [--common-name COMMON_NAME] [--country COUNTRY] [ --certificate | --self-signed ] [--certificate] [--certificate-signing-request] [--days DAYS] [--email EMAIL] [--intermediate-certificate] [--key] [--key-size KEY_SIZE] [--locality LOCALITY] [--new-key] [--organization ORG] [--organizational-unit ORG_UNIT] [--passphrase] [--state STATE]


-h | --help

Can be used with any command or subcommand to display a brief syntax description.


Displays, exports, or imports the certificate.


Constructs a certificate signing request.


Fully qualified domain name (FQDN) of the current array. For example, the common name for is, or * for a wildcard certificate. The common name can also be the management IP address of the array or the short name of the current array. Common names cannot have more than 64 characters.


Country name. Two-letter ISO code for the country where the organization is located.

--days(purecert setattr --self-signed only)

Number of valid days for the self-signed certificate being generated. If not specified, the self-signed certificate expires after 3650 days.


Email address used to contact the organization.


Displays, exports, or imports the intermediate certificate.


Imports the private key.

--key-size(purecert setattr --self-signed only)

Key size in bits. Valid values are 512, 1024, 2048 (default) or 4096. A key size smaller than 2048 is considered insecure.


The city where the organization is located.

--new-key(purecert setattr --self-signed only)

Generates a new private key when creating the self-signed certificate. If a new private key is not generated, the certificate uses the existing private key.


Full and exact name in which the organization is legally registered. Organization name should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.


Name of the department within the organization that is managing the certificate.


Passphrase used to decrypt the private key.


Generates a self-signed certificate.


Full name of the state or province where the organization is located.

Options that control display format:


Displays output in the form of CLI commands that can be issued to reproduce the current configuration. The --cli output is not meaningful when combined with immutable attributes.


Lists information in comma-separated value (CSV) format. The --csv output can be used for scripting purposes and imported into spreadsheet programs.


Lists information without column titles.


Lists information in name-value pair (NVP) format, in the form ITEMNAME=VALUE. Argument names and information items are displayed flush left. The --nvp output is designed both for convenient viewing of what might otherwise be wide listings, and for parsing individual items for scripting purposes.


Turns on interactive paging.


Displays the unformatted version of column titles and data. For example, in the purearray monitor output, the unformatted version of column title us/op (read) is usec_per_read_op. The --raw output is used to sort and filter list results.


The purecert command allows you to perform tasks to manage your Pure Storage SSL certificates. Purity creates a self-signed certificate and private key when you start the system for the first time. You can use the default certificate, change the certificate attributes, create a new self-signed certificate, or import a SSL certificate signed by a certificate authority.

Self-signed Certificate

You can create a new self-signed certificate on the current array. When you create a self-signed certificate to replace the current certificate, include any attribute changes, specify the validity period of the certificate, and optionally generate a new private key. Run the purecert setattr --self-signed option to create a new self-signed certificate.

You can also include the --new-key option to generate a private key with the self-signed certificate. The default key size is 2048 bits. To change the length (in bits) of the private key, include the --key-size option with --new-key. If you do not generate a private key, the new certificate uses the existing key.

By default, self-signed certificates are valid for 3650 days. Include the --days option to change the valid number of days.

Certificate Signing Request

Signing in with a certificate from a certificate authority (CA) involves importing a SSL certificate issued by the CA.

To obtain a CA certificate, you must first construct a certificate signing request (CSR) on the array. The CSR represents a block of encrypted data specific to your organization. Run the purecert construct --certificate-signing-request command to construct a CSR.

You can change the certificate attributes when you construct the CSR; otherwise, Purity will reuse the attributes of the current certificate (self-signed or imported) to generate the new one. Note that the certificate attribute changes will only be visible after you import the signed certificate from the CA.

Send the CSR to a certificate authority for signing. The certificate authority returns the SSL certificate for you to import. Verify that the signed certificate is PEM formatted (Base64 encoded), includes the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines, and does not exceed 3000 characters in length. If the intermediate certificate is bundled with the SSL certificate, run the purecert setattr --certificate to import the certificates. If the certificates are sent separately, run the purecert setattr --certificate --intermediate-certificate to import the SSL certificate and its accompanying intermediate certificate. The certificates are entered interactively.

If the certificate is signed with the CSR that was constructed on the current array and you did not change the private key, you do not need to import the key. However, if the CSR was not constructed by the current array, include the --key option to import the private key. If the private key is encrypted, include the --passphrase option with -- key.

Import Certificate

To change the certificate attributes, run the purecert setattr command. When you change the attributes of a self-signed certificate, Purity replaces the existing certificate with a new certificate, along with its specified attributes. Certificate attributes include organization-specific information, such as country, state, locality, organization, organizational unit, common name, and email address.

To export the current certificate and intermediate certificate for backup purposes, run purecert list --certificate and purecert list --intermediate-certificate, respectively.

Certificate Administration

Run purecert list to list the attributes of current certificate.

To export a certificate or an intermediate certificate, such as for backup purposes, run purecert list --certificate or purecert list --intermediate-certificate, respectively.


Example 1

purecert setattr --self-signed  --common-name --country US --state CA
--locality 'Mountain View' --organization 'Example, Inc.'

Create a self-signed certificate with the common name (the FQDN of the current array) and various updated attributes. Since the private key isn't specified, the new self-signed certificate will use the existing private key.

Example 2

purecert construct --certificate-signing-request --common-name

Construct a certificate signing request with the common name (the FQDN of the current array) and all of the existing attributes.

Example 3

purecert setattr --certificate --intermediate-certificate

Import the certificate signed by a certificate authority (CA) along with its intermediate certificate.


Pure Storage Inc.