Commands and Examples

How-Tos for VMware Solutions

Audience
Public
Source Type
Documentation

Here is a quick look at the common purecert commands used to manage the VASA certificate. We will then look at some use cases for managing the VASA certificate with purecert. For more info on using CLI, see Purity//FA Admin and CLI Reference Guides.

purecert list

Using purecert list will help show what certificates are currently in use for both the management certificates and VASA certificates. Let's look at some examples of different certificates listed with purecert list.

  • Here is an example of imported CA signed certificates for VASA-CT0 and VASA-CT1 in use on the FlashArray:
    
    purecert list
    Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email                                   Common Name
    management  imported  2048      10.21.88.112  Sub-CA     2019-09-26 12:45:28 PDT  2021-09-25 12:45:28 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  administrator@sso.alex.purestorage.com  10.21.88.112
    vasa-ct0    imported  2048      10.21.88.113  CA         2019-08-09 14:08:52 PDT  2021-08-08 14:08:52 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -                                       10.21.88.113
    vasa-ct1    imported  2048      10.21.88.114  CA         2019-08-09 14:09:17 PDT  2021-08-08 14:09:17 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -                                       10.21.88.114
    
  • Here is an example of local self signed certificates for VASA-CT0 and VASA-CT1 on the FlashArray:
    
    purecert list
    Name        Status       Key Size  Issued To     Issued By     Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email                                   Common Name
    management  imported     2048      10.21.88.112  Sub-CA        2019-09-26 12:45:28 PDT  2021-09-25 12:45:28 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  administrator@sso.alex.purestorage.com  10.21.88.112
    vasa-ct0    self-signed  4096      10.21.88.113  10.21.88.113  2019-10-28 07:37:42 PDT  2029-10-25 07:37:42 PDT  US       California      Mountain View  Pure Storage  Pure Storage           -                                       10.21.88.113
    vasa-ct1    self-signed  4096      10.21.88.114  10.21.88.114  2019-10-28 07:37:59 PDT  2029-10-25 07:37:59 PDT  US       California      Mountain View  Pure Storage  Pure Storage           -                                       10.21.88.114
    
  • Then here is an example of VMCA signed certificates in use for VASA-CT0 and VASA-CT1 on the FlashArray:
    
    purecert list
    Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email                                   Common Name
    management  imported  2048      10.21.88.112  Sub-CA     2019-09-26 12:45:28 PDT  2021-09-25 12:45:28 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  administrator@sso.alex.purestorage.com  10.21.88.112
    vasa-ct0    imported  2048      10.21.88.113  CA         2019-10-27 07:39:49 PDT  2020-10-27 07:39:49 PDT  US       -               -              Pure Storage  Pure Storage           -                                       10.21.88.113
    vasa-ct1    imported  2048      10.21.88.114  CA         2019-10-27 07:50:06 PDT  2020-10-27 07:50:06 PDT  US       -               -              Pure Storage  Pure Storage           -                                       10.21.88.114

Using purecert list allows you to quickly look at the certificates currently in used on the FlashArray. You can also use --certificate with purecert list to show the certificate itself should you want to inspect it:


purecert list --certificate vasa-ct0
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIJAO8DQ2CZ/J4OMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYDVQQDDAJDQTEX
MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExKjAoBgNVBAoMIXN0YWdpbmctdmNzYS5hbGV4LnB1cmVz
dG9yYWdlLmNvbTEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTE5MTAyNzE0Mzk0OVoX
DTIwMTAyNzE0Mzk0OVowUjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFB1cmUgU3RvcmFnZTEVMBMG
A1UECxMMUHVyZSBTdG9yYWdlMRUwEwYDVQQDEwwxMC4yMS44OC4xMTMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCo26bbs43ZgAEqOD17j5F1P1Q+5lNZUmTaADxaXQkgyVx8LAI+Ldwm
12dIO+4auHzRCqa54Hzv9cNtUH/46wMQA2t1y4LvDAB1/82J3jdSoze2TjfLKXkrsKP/i63B8L6s
H4iYn7ZgvdtlCzw6eKLLX+jQM/JVYxU0wPc31PxR7DNt+dzHCelShbXwckJTrggh8jXJGLitAqXA
JurDz/4kS9lGzKsV5Qy9eSsQGftcmzaQkIpfAfXLGDy3ja0A/psttzPB5t4pfqo2eI0/iVZ4Oetr
1Qs5qzBPh60/5kAycX9Of7GY7B4nfqQJsKRSDH1QjtCt+FPaN3hT5H+xTz5tAgMBAAGjgYgwgYUw
DwYDVR0RBAgwBocEChVYcTAfBgNVHSMEGDAWgBQl8TMF+lV/HZgGvz9oV0wkZSHaLzBRBggrBgEF
BQcBAQRFMEMwQQYIKwYBBQUHMAKGNWh0dHBzOi8vc3RhZ2luZy12Y3NhLmFsZXgucHVyZXN0b3Jh
Z2UuY29tL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQBVl5fY7ogjxAUeH4cTGRMOEcHZ
4kxXc08+MBznq63I9Gw2IWfGj08UP4KJsQUwZ7WwFcFJmOAFdlk/uVK9QzRLfQPq2Iz+AGpYiXs3
k4NkoSWnk18YbYFaw9ItVgsor5XwoIVwhQvOypOivBXZGfDgORFWXXJYIzhbTWWO3bIxaqu+AexW
ddNWYdHFvCP9Kn4yWWOdpuW+7Pi1nUKk1cqBBcbn7lftHWd6la7VRYg4/Y9w69jlgvo4TDIzI/r4
oe+rbh92/Z5MKuDD3rCf8Qw7jtyte7PR6hoPrfda2FMwXi0X8XX2UNjp64jwOM9HnWs/JGne1ARW
OIJ6MteEwmwu
-----END CERTIFICATE-----

purecert delete

Note:

If you are deleting VASA certs for the purpose of not receiving further certificate expiration alerts without an active vVols deployment in your environment, deleting the certificates alone might not be sufficient. Please follow 1-3 of the Resetting the VASA Certificates with purecert section below.

In the event that you need to re-create the certificate for vasa-ct0 or vasa-ct1, you will first need to delete the certificate in use.

Delete the certificate in use:


# purecert list
Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email                                   Common Name
management  imported  2048      10.21.88.112  Sub-CA     2019-09-26 12:45:28 PDT  2021-09-25 12:45:28 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  administrator@sso.alex.purestorage.com  10.21.88.112
vasa-ct0    imported  2048      10.21.88.113  CA         2019-08-09 14:08:52 PDT  2021-08-08 14:08:52 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -                                       10.21.88.113
vasa-ct1    imported  2048      10.21.88.114  CA         2019-08-09 14:09:17 PDT  2021-08-08 14:09:17 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  -                                       10.21.88.114

# purecert delete vasa-ct0
Name
vasa-ct0

# purecert delete vasa-ct1
Name
vasa-ct1

# purecert list
Name        Status    Key Size  Issued To     Issued By  Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit    Email                                   Common Name
management  imported  2048      10.21.88.112  Sub-CA     2019-09-26 12:45:28 PDT  2021-09-25 12:45:28 PDT  US       California      Mountain View  Pure Storage  Solutions Engineering  administrator@sso.alex.purestorage.com  10.21.88.112

The only time that purecert delete should need to be used is in the event that you need to generate a new self-signed certificate for vasa-ct0 and vasa-ct1. Otherwise, you can import a signed certificate or self signed certificate with purecert as well.

purecert create

With purecert create, you will have the ability to create both self signed certificates as well as Certificate Signing Requests (CSRs). One thing to note about the CSR is that currently Everpure does not support creating CSRs with custom Subject Alternative Name (SAN) entries. This means that the CA that is signing the request will need to have the ability to have SAN entries provided as part of issuing the certificate.

Note:

Please note that the common name should be the IP address for CT0.ETH0 for VASA-CT0 and the IP Address for CT1.ETH0 for VASA-CT1. There are instances where you may want to use the IP address for CT0.ETH1 for VASA-CT0 or the IP address for CT1.ETH1 for VASA-CT1. This can be done as well. The IP addresses can be found by running a "purenetwork list".

Here is an example of creating new self signed certificates for vasa-ct0 and vasa-ct1:


# purecert create --common-name 10.21.88.113 --country US --self-signed --key-size 4096 --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Pure Storage' --state California vasa-ct0
Name      Status       Key Size  Issued To     Issued By     Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit  Email  Common Name
vasa-ct0  self-signed  4096      10.21.88.113  10.21.88.113  2019-10-28 07:37:42 PDT  2029-10-25 07:37:42 PDT  US       California      Mountain View  Pure Storage  Pure Storage         -      10.21.88.113

# purecert create --common-name 10.21.88.114 --country US --self-signed --key-size 4096 --locality 'Mountain View' --organization 'Pure Storage' --organizational-unit 'Pure Storage' --state California vasa-ct1
Name      Status       Key Size  Issued To     Issued By     Valid From               Valid To                 Country  State/Province  Locality       Organization  Organizational Unit  Email  Common Name
vasa-ct1  self-signed  4096      10.21.88.114  10.21.88.114  2019-10-28 07:37:59 PDT  2029-10-25 07:37:59 PDT  US       California      Mountain View  Pure Storage  Pure Storage         -      10.21.88.114

The reason to do this for vasa-ct0 and vasa-ct1 would be in the case that previous certificate is in question or a bad format that is causing vCenter to fail registering the storage providers. To rule out the current certificate you would delete the existing certificate, generate a self signed cert with the Organization and Organizational unit set to 'Everpure', and then re-register the storage providers in the desired vCenter Server.