Skip to main content
Pure Technical Services

How To: Renewing the Storage Provider Certificate that is Expired or Going to Expire

Currently viewing public documentation. Please login to access the full scope of documentation.

Pure Storage's Virtual Volumes (VVols) implementation released in December of 2017.  When registering the Flash Array storage providers the certificate is set to expire a year after the initial registration.  Customers will want to renew the Certificates before they expire, but if they have expired they can still be renewed, but it will take some extra steps.  Here are the steps to renew the storage provider certificate in both cases.

Storage Provider Certificate has not Expired Yet

If the Storage Provider Certificate is still valid, but is coming close to expiring, then renewing it is easy.  Here is how you'll be able to renew the Certificate before it expires.

  1. Log into the vCenter that has the registered Storage Providers with the Flash Array.
  2. Navigate to the Hosts, VMs, or Storage page and click on the vCenter Object
    Renew Almost Expired Certificate - 00 - 4.08.23 PM.png
  3. Navigate to Configure and then Storage Providers
    Screen Shot 2018-09-20 at 4.20.08 PM.png
  4. If the Storage Provider Certificate is about to expire, you will see a yellow warning icon
  5. Select the Storage provider for CT0 or CT1
  6. Click on the ribbon icon to Renew the Certificate
    Renew Almost Expired Certificate - 00 - 4.19.56 PM.png
  7. Verify the Certificate is Renewed
    Renew Almost Expired Certificate - 01 - 4.20.42 PM.png
  8. Select the Storage Provider that was not renewed
  9. Click on the ribbon icon to Renew the Certificate
    Renew Almost Expired Certificate - 02 - 4.20.51 PM.png
  10. Verify the Certificate is Renewed
    Renew Almost Expired Certificate - 03 -  4.21.07 PM.png
  11. If your vCenter is in Enhanced Linked Mode and you have another vCenter registered with the same Arrays Storage Providers, you will want to renew the certificates on the other vCenter as well.  Repeat the above steps in that case.
  12. All done now.  

Storage Provider Certificate has Expired

Should the FlashArray be on Purity 5.3.0 or higher these steps do not apply.  Rather an Array Admin user can manually reset the VASA certificate or import a new certificate to the FlashArray.  Please refer to the KB about managing VASA certificates with purecert found here.

This process isn't as easy or simple as renewing a cert that is about to expire.  In this case you can't renew the cert; instead you have to remove the storage providers and then re-register the storage providers.  However, as part of this process Pure Storage Support will need to manually clear the expired cert and restart the vasa provider.  Otherwise the re-registration of the storage providers will fail.  This process is something that Pure is working to improve moving forward.  

The impact of having the storage providers cert expire will be impactful to any further VVol related operations that have to communicate with the VASA provider on the array.  Such is powering on VMs, vMotioning VMs, deploying new VMs, etc.  However, any currently running VMs will continue to run without impact.  The process of removing the expired storage provider, clearing the expired cert and then restarting the VASA service will not be impactful to the currently running VVol VMs.

Do not manually reset certificates if the FlashArray is running Purity 5.3.0 or higher in the same method as outlined in this KB for Purity 5.0, 5.1 or 5.2. All management of the VASA certificates must be done with purecert via the CLI on Purity 5.3.0 and higher.

Here are the steps to follow in order to Renew a Storage Provider that has had it's certificate expire.

  1. Log into the vCenter that the Storage Providers are registered.
  2. Navigate to the hosts, vms or datastores tab and select the vCenter object.
  3. Select the configure tab and then the storage providers option.  Locate the Storage providers that have the expired certificate.
  4. Here you can see if you try to renew the Certificate it will fail:
    Certificate is expired, unable to renew
    Certificate is Expired - Remove and Re-Add - 4.01.34 PM.png
  5. You will need to remove both Storage Providers
    Remove Both Expired Storage Providers
    Remove Expired Storage Provider - 4.06.06 PM.png
  6. If you have the storage providers registered with another vCenter that is in Enhanced Linked mode, be sure to remove them from all the vCenters that are registered with them.
  7. Once both storage providers are removed from all vCenters you will want to work with Pure Support.  You will need to enable remote assist and reference this KB in your support case.  There will be steps for Pure Support to follow.
  1. After support has ran through their process, you can use the plugin to re-register your storage providers or manually re-register them.
  2. Here is an example to use the plugin to re-register each controllers storage provider
    After navigating to the plugin page - Right Click on the Array you need to re-register and select to register the storage Provider
    Using Plugin - 00 - Register Storage Provider - Right Click - 4.14.51 PM.png
    Enter the array username and password, then select the vCenter/s you want to re-register the Storage Providers with
    Using Plugin - 01 - Register Storage Provider - Username - 4.15.09 PM.png
  3. Here is an example to manually re-register each controllers Storage Provider
    Click on the + to Add CT0
    Register first Storage Provider 4.33.45 PM.png
    Register the Storage Provider for CT0
    Register first Storage Provider 4.34.23 PM.png
    Click on the + to Add CT1
    register second storage provider 4.35.32 PM.png
    Register the Storage Provider for CT1
    Register second storage provider 4.35.13 PM.png
  4. Once you have your storage providers registered with the vCenters they were before, you can check to see that your VVol Datastore is accessible.