Skip to main content
Pure Technical Services

How To: Renewing the Storage Provider Certificate that is Expired or Going to Expire

Currently viewing public documentation. Please login to access the full scope of documentation.

Pure Storage's Virtual Volumes (vVols) implementation released in December of 2017.  When registering the Flash Array storage providers the certificate is set to expire a year after the initial registration.  Customers will want to renew the Certificates before they expire, but if they have expired they can still be renewed, but it will take some extra steps.  Here are the steps to renew the storage provider certificate in both cases.

The workflows for managing certificates expiration will differ on two points, whether the FlashArray is running Purity 5.3.0+ or whether the Certificate is about to expire or has expired.  Additionally, the workflow can differ if the FlashArray is on Purity 5.3.0+ and a custom certificate has been imported to VASA via purecert on the CLI. 

For more information about importing custom CA signed certificates and managing the FlashArray VASA certificates with purecert cli see the following KBs:

In the event that the storage provider certificate is about to expire, then the certificate just needs to be renewed and/or refreshed.  If the storage provider certificate has expired, then the storage providers will have to be removed, the VASA certificate will need to be deleted, a default VASA certificate will need to be created/imported and then the storage providers will need to be re-registered.  

The workflows for these events is outlined in this KB.


Storage Provider Certificate Has Not Expired Yet

There is currently an issue with the vSphere 7.0 U2 ui in that the renew button is always grayed out.  - https://kb.vmware.com/s/article/85328

There is a way to manually refresh the VASA certificates through the Managed Object Browser.  You can see how to do that in this blog post.

Another option to approach this will be to treat the certificate as if it was expired.  Meaning to reset the certificate on the FlashArray and then re-registering the storage providers. 

VMware has said that a fix will be coming in a forthcoming 7.0 U3 release.

If the Storage Provider Certificate is still valid, but is coming close to expiring, then renewing it is easy.  The main question that needs to be answered is if the certificate is the default one that VMCA imports when the storage providers are first registered or if the VASA certificate was manually imported by an array admin (this is only possible starting with Purity 5.3.0).  This can be checked from the vCenter UI.

Here is how you'll be able to renew the Certificate before it expires.

vasa-cert-expire-01.png
vasa-cert-expire-02.png
  1. After logging into the vCenter Server that has the registered Storage Providers with the FlashArray, navigate to the Hosts, VMs, or Storage page and click on the vCenter Server Object.
  2. From the vCenter Server object click on the Configure Tab
  3. In the Configure Tabs sidebar, click on Storage Providers
  4. Select the Storage Provider that you need to refresh or need to check the certificate source
  5. A Yellow Icon will show in the Certificate Expiry column if the cert expires within 180 days
    1. The VASA Certificate information can be found on the Certificate Info Tab for the storage Provider
      1. You should check the Subject and Issuer lines in the Certificate information
        1. The default VMCA imported certificate is in use if the Subject O and OU is Pure Storage and the Issuer OU is VMware Engineering
  6. Click on the ribbon icon to Refresh the Certificate
  7. Verify the Certificate is Refreshed
    vasa-cert-expire-04.png
  8. If the Subject O and OU is not "Pure Storage" and the Issuer is not "VMware Engineering", then this is an imported certificate.
    vasa-cert-expire-03.png
    Additionally, you will not be able to refresh/renew the Certificate from vCenter if the certificate is not issued by VMware Engineering.
  9. An imported certificate will have to be re-issued by following the KB on how to import a CA Signed certificate to VASA.
    1. The Storage Providers will need to be re-registered after a new certificate has been imported to VASA.
  10. Repeat the same steps for the other Provider.
  11. After following the previous steps on one vCenter, if you have vCenters in Enhanced Linked Mode (ELM) and they have the storage providers registered on the additional vCenter(s), you have a few options.  You can either re-register the storage providers on all ELM vCenters, restart services on the additional vCenter Server(s), or refresh the certificates on the other ELM vCenter(s) as well.
  12. There are no other steps needed once the certificates are updated and/or refreshed.

Storage Provider Certificate Has Expired

Should the FlashArray be on Purity 5.3.0 or higher the steps to reset the certificate do not apply.  Rather an Array Admin user can manually reset the VASA certificate or import a new certificate to the FlashArray.   The process of removing and re-registering the Storage Providers will still be required.  The workflow would be as follows.

  1. Remove the Storage Providers with expired certificates in vCenter
  2. Please refer to the KB about managing VASA certificates with purecert found here.
    1. If the certificate was signed by a CA, then the end user will need to generate a new CSR, get a newly signed certificate and import the newly signed certificate.
    2. If the certificate was the default vSphere certificate, then the end user will need to delete the existing vasa-ct0 and vasa-ct1 certificates, then create new default self signed certificates.
  3. Re-register the storage providers in vCenter.

This process isn't as easy or simple as renewing a cert that is about to expire.  In this case you can't renew the cert; instead you have to remove the storage providers and then re-register the storage providers.  However, as part of this process Pure Storage Support will need to manually clear the expired cert and restart the vasa provider.  Otherwise the re-registration of the storage providers will fail.  This process is something that Pure is working to improve moving forward.  

The impact of having the storage providers cert expire will be impactful to any further vVol related operations that have to communicate with the VASA provider on the array.  Such is powering on VMs, vMotioning VMs, deploying new VMs, etc.  However, any currently running VMs will continue to run without impact.  The process of removing the expired storage provider, clearing the expired cert and then restarting the VASA service will not be impactful to the currently running vVol VMs.

Here are the steps to follow in order to Renew a Storage Provider that has had it's certificate expire.

  1. Log into the vCenter that the Storage Providers are registered.
  2. Navigate to the hosts, vms or datastores tab and select the vCenter object.
  3. Select the configure tab and then the storage providers option.  Locate the Storage providers that have the expired certificate.
  4. Here you can see if you try to renew the Certificate it will fail:
    Certificate is expired, unable to renew
    Certificate is Expired - Remove and Re-Add - 4.01.34 PM.png
  5. You will need to remove both Storage Providers
    Remove Both Expired Storage Providers
    Remove Expired Storage Provider - 4.06.06 PM.png
  6. If you have the storage providers registered with another vCenter that is in Enhanced Linked mode, be sure to remove them from all the vCenters that are registered with them.
  7. If the FlashArray is running Purity 5.3.0 or higher, then an array admin will need to delete and create a default certificate for VASA via purecert cli.
  8. If the FlashArray is not running Purity 5.3.0 or higher then once both storage providers are removed from all vCenter Servers you will want to work with Pure Support.  You will need to enable remote assist and reference this KB in your support case.  There will be steps for Pure Support to follow.
  1. After the VASA Certificates have been reset the Storage Providers will need to be re-registered.  
    1. Please follow the Registering the VASA Provider KB for the method that works best for you.
  2. Sometimes even after re-registering the storage providers some ESXi hosts may not show connectivity to the vVol Datastore.  This is because vCenter's certificate updates in VMCA may fail to dynamically push the updateded CA and CRLs to the ESXi hosts.  In this event, you will need to refresh the CA/CRLs for the ESXi hosts that are mounted to the vVol DS.  This can be done manually in the UI or with PowerShell. 
    1. The process for doing this with PowerShell can be found here.

Once you have your storage providers registered with the vCenters they were before, you can check to see that your vVol Datastore is accessible.