Dell VxRail: Non-vCenter CA certificate in VxRail manager trust store expires soon or is expired.

Open vCenter web page, navigate to VxRail Cluster > Configure > VxRail > Certificate > All Trust Store Certificates 
The page shows that some non-vCenter CA certificates are already expired or will expire in less than 60 days.

Some non-vCenter CA certificates in the VxRail Manager trust store have expired or will expire soon.

• Delete the expired or expiring certificates

1. Navigate to VxRail Cluster > Configure > VxRail > Certificate > All Trust Store Certificates, copy the File path and Fingerprint value of the expired or expiring certificates.

2. SSH to VxRail manager, switch to root user, run command "openssl x509 -in <Certificate file path> -noout -issuer" to check the certificate issuer, it helps to determine who issued this certificate and where you can renew it.
3. From your web browser, open VxRail embedded API tool

https://<VxRail_Manager_IP_address>/rest/vxm/api-doc.html

4. Go to certificates section > Delete the certificate file
5. Enter vSphere Username, vSphere Password, and enter the fingerprint of the certificate that you want to delete, then click Send Request.
For example:




6. Log in to the VxRail plug-in Certificate page again to confirm the expired/expiring certificates are deleted.

Note: If the VxRail plug-in Certificate page gives an error stating "The provided vCenter credentials are not valid" or "The VxRail Manager failed to connect to the vCenter over HTTPS. See KB000214474 for troubleshooting details", it should be due to the browser cookie for the vCenter session has expired or the cookie is cleared since you deleted the certificate. This is an expected behavior, there is no need to troubleshoot this error, please move onto the next step to import Certificates into the VxRail Manager trust store.

 

• Import the renewed certificate into VxRail manager trust store

1. According to the certificate issuer, renew the certificate from certain CA and copy the updated certificate to a Linux machine.
2. Run command "sed -z -e 's/\n/\\n/g' <certificate_file>" to get the certificate text format content, it should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
3. From your web browser, open VxRail embedded API tool https://<VxRail_Manager_IP_address>/rest/vxm/api-doc.html
4. Go to certificates section > Import certificates into the VxRail Manager trust store.
5. Enter vSphere Username, vSphere Password, and the certificate contents in the request body and then click Send Request.
You can input multiple certificate contents in the request body with the below format:

{
  "certs" :[
    "<certificate content #1>",
    "<certificate content #2>",
    "<certificate content #n>"
  ]
}

For example:


6. Log in to the VxRail plug-in Certificate page again to confirm the certificates are updated.

VxRail 7.0.480 introduces this new feature to display all trust store certificates expiring status on the VxRail plug-in UI page.