Replacing the Pure Storage FlashArray VASA Certificate

Share on:

Maintaining Certificates in your environments is an important thing to do to make connections between your client and server are encrypted. With this blog we will go over how to replace your Pure Storage FlashArray Certificate for the vStorage APIs for Storage Awareness (VASA) using a Microsoft Certificate Authority.

Previously, we covered how to replace the FlashArray Management Certificate now we will show how to replace the VASA one. With the VASA certificate there are a few reasons we may want to replace it with a signed certificate one being encryption, but the other is it will allow you to register a storage provider with multiple vCenter Servers for vVols.

Checking Certificate Status

The VASA Certificate can only be replaced via the CLI. If we run *purecert list we can see the current status of our array certificates.

1[email protected]> purecert list
2Name        Status    Key Size  Issued To                 Issued By         Valid From               Valid To                 Country  State/Province  Locality  Organization        Organizational Unit  Email                    Common Name
3management  imported  2048      david-fa1.newstack.local  newstack-DC01-CA  2020-03-30 13:38:49 PDT  2022-03-30 13:38:49 PDT  US       CA              MTV       Pure Storage, Inc.  Pure Storage, Inc.   [email protected]  david-fa1.newstack.local
4vasa-ct0    imported  2048      10.21.230.44              CA                2020-03-08 08:11:26 PDT  2021-03-09 07:11:26 PST  US       -               -         Pure Storage        Pure Storage         -                        10.21.230.44

We can see that our management certificate has already been replaced by our CA, we will proceed to replace our vasa-ct0 certificate.

In this blog this is a non-production FlashArray with a single controller. In a production environment this will be repeated for vasa-ct0 and vasa-ct1

Construct Certificate Signing Request

Unlike the management certificate, the vasa certificate is only an IP based name, there is no need to add in any FQDN for the array.

Let’s create a CSR for vasa-ct0 using the following command.

1purecert construct --certificate-signing-request --common-name 10.21.230.44 --country US --state CA --locality 'MTV' --organization 'Pure Storage, Inc.' --organizational-unit 'Pure Storage, Inc.' --email '[email protected]' vasa-ct0

Request a Certificate Using the CSR from Microsoft Certificate Authority

With our CSR in hand we can navigate to our Certificate Authority to request a certificate. You can access the certificate request UI usually by navigating to https://FQDN/certsrv

We will click on Request a certificate and then advanced certificate request. As mentioned earlier, the SAN will not contain Common Name but with the Certificate Request we can easily add in the Additional Attributes to include it:

1san:ipaddress=10.21.230.44&dns=10.21.230.44

Click on Submit and download the certificate as Base 64 encoded

Replacing the Management Certificate

Once you have your certificate you can navigate back to the CLI and run purecert setattr –certificate vasa-ct0 to replace the certificate.

“^D” is equivalent to “Ctrl+D”

Now if we rerun purecert list we can see our vasa-ct0 certificate is now updated.

1[email protected]> purecert list
2Name        Status    Key Size  Issued To                 Issued By         Valid From               Valid To                 Country  State/Province  Locality  Organization        Organizational Unit  Email                    Common Name
3management  imported  2048      david-fa1.newstack.local  newstack-DC01-CA  2020-03-30 13:38:49 PDT  2022-03-30 13:38:49 PDT  US       CA              MTV       Pure Storage, Inc.  Pure Storage, Inc.   [email protected]  david-fa1.newstack.local
4vasa-ct0    imported  2048      10.21.230.44              newstack-DC01-CA  2020-03-31 06:16:12 PDT  2022-03-31 06:16:12 PDT  US       CA              MTV       Pure Storage, Inc.  Pure Storage, Inc.   [email protected]  10.21.230.44

Conclusion

Replacing certificates is always a great idea! If you have not replaced your management certificate now is a great time.

comments powered by Disqus

See Also