How to Refresh VASA Certificates with vSphere 7.0

When VMware released vSphere 7.0 they disabled the ability to refresh certificates for VASA Providers in the vCenter UI. When logging into vCenter and trying to manage the certificate for the storage providers you will see that the refresh button is greyed out. Whether this option being disabled was done inadvertently or on purpose I’m not sure. The last time I talked with VMware’s engineering team they confirmed that this was a known issue, but that it won’t be fixed until vSphere 8.0. So I want to cover how to refresh VASA Certificates with vSphere 7.0 in this post.

Update 19 April 2022: VMware got back to me recently about when specifically we would see a fix for this issue. The fix for this is released in vSphere 7.0 U3d.

Before getting started, from vSphere, the the only certificates that can be refreshed by vCenter are ones that are issued by VMCA (VMware Certificate Authority). Should a custom certificate be used with the VASA Provider, then new one will need to be generated by the CA and then updated to the given storage provider. Each storage provider can be different, so refer to their documentation on how to do that. Now that that is out of the way, what does the problem look like?

Notice with the screenshot that the “Refresh certificate” button is completely greyed out. Looking at the Certificate Info I can see that the Issuer is this vCenters VMCA. So the refresh certificates button should NOT be greyed out. Now that the issue is clear the next part is to figure out how to still refresh the certificate without having to reset the certificates with the VASA Provider.

How to Refresh the VASA Certificate with the vCenter MOB

An easy way to refresh a VMCA certificate for the VASA provider is to use the vCenters MOB (managed object browser), specifically the SMS (Storage Monitoring Server) MOB. There is an action called VasaProviderRefreshCertificate_Task that can be issued against the VASA provider and that’s the one we want to do. First, from the web browser navigate to the vCenter URL then add /sms/mob to the end of the url. Here I log in with a vCenter administrator.

Once logged into the MOB a lot of new windows are going to pop up when I click on active links, so be prepared for that. To get to the VASA provider management I’ll need to first click on the query storage manager.

This will pop up a new window and Invoke Method needs to be pressed in order actually run the QueryStorageManager task.

After clicking on Invoke Method, some details will show below that and you’ll need to click on the storageManager link.

Once the storage manager is accessed there are a couple places that can be navigated to in order to refresh the certificate. One way is to issue a queryProvider, which will list all vasa providers. However, this view can be a little confusing as you only see the reference id’s and not the names until you query each one. An easier way to find the VASA provider you want is to click on the queryFaultDomain option.

Once in the queryFaultDomain action, clear out the filter so that as it’s optional.

Keep in mind that this will only return the active VASA providers and not the standby providers. In my example, I want to refresh the certificate for the FlashArray-m50-2 vasa provider. So I am going to click on the vasaProvider-31 provider managed object reference.

Now we have the managed object type of the VASA Provider pulled up. The task that we want to work with here is the VasaProviderRefreshCertificate_Task. Go ahead and click on that.

One thing that I want to make note of here is the URL of the page for this task. One option that can be done moving forward is that if you know the VASA provider ID, then you could just change that value in the URL and navigate to that right away. Let’s table that for now though and continue forward here. Once on the task page the invoke action just needs to be clicked and you’ll be good to go.

Once invoked, the action will be issued and likely completely within seconds. The SmsTask can be clicked on and the task can be queried for its result.

However, the task will finish fairly quickly so I just go to the vCenter GUI after invoking the method. Go to the storage provider screen again and refresh that view. You should see that that VASA provider’s certificate expiration date has been updated/refreshed.

Note that only one of the providers certificate expiry was updated. This is because we only issued the refresh task to the single provider. We can go back to the mob and navigate to the other provider, but there is an easier way to do this. Personally I like getting the list of my VASA Providers and their IDs from PowerShell (via PowerCLI).

> Get-VasaProvider | Where-Object {$_.Namespace -eq 'com.purestorage'} | Select-Object Name,Id

Name                 Id
----                 --
sn1-x50r2-b12-36-ct0 VasaProvider-vasaProvider-36
flasharray-m50-2-ct0 VasaProvider-vasaProvider-30
flasharray-m50-2-ct1 VasaProvider-vasaProvider-31
sn1-m20-c08-17-ct0   VasaProvider-vasaProvider-34

Here I can see that for the FlashArray-m50-2 providers, there is vasaProvider-30 and vasaProvider-31. I just refreshed the certificate for vasaProvider-31, so now I need to go ahead and refresh vasaProvider-30. So, what I want to do is use that URL that I noted before, but change the provider ID from 31 to 30.

https://dr-vcsa.alex.purestorage.com/sms/mob/?moid=vasaProvider-30&method=VasaProviderRefreshCertificate_Task

The key part here is that I’m using this end of the URL and updating it as I need:
/sms/mob/?moid=vasaProvider-30&method=VasaProviderRefreshCertificate_Task
That can be updated to whatever VASA Provider ID that I want to update. Now I’m going to navigate to that URL.

Now I just need to invoke the method again for the other provider. After invoking it I’ll head back over to the vCenter UI and refresh the storage provider screen.

There we go, both VASA Provider certificates were refreshed and updated! We just solved how to refresh VASA certificates with vSphere 7.0! Even though the GUI has the refresh certificate greyed out, I was able to refresh my VASA certificates by using the vCenter MOB. I hope this helps out anyone that might be struggling with this issue.

VMware did publish a KB, that at the time of writing this KB (April 6, 2022) was incorrect. Perhaps it will be updated shortly in the future, but it something to make note of.

Posted in Virtual Volumes, VMware.

6 Comments

  1. Using ver 6.5 and our IOFILTER certs are completely expired. No refresh certificate option available. I tried your method, but I get different results. When I click to invoke the refresh certificate task, it gives me a “Method Invocation Result: void”. Any chance that you know of a work around?

    • So IOFILTER certs are a bit different in my experience. The only way I’ve been able to get vCenter to actually update/correct the ones there is to remove the host from vCenter, then reset that hosts certificate and then add the host back to vCenter. Essentially forcing a refresh/update of the IOfilter Certificates.

  2. I had to do a Refresh CA Certificates on each host after this process and rescan storage. Until then my vVOLs were in a degraded state.

    Heads up if you encounter the same thing

Leave a Reply

Your email address will not be published. Required fields are marked *