VxRail: VxRail Manager SSL Certificate May Be Replaced After Enabling vSphere Lifecycle Manager

Summary: In VxRail version 8.0.300 to 8.0.331, during Day1 vLCM enablement, the VxRail manager certificate will be replaced by a VMCA-issued one. Later, if the vCenter root CA certificate changes, the vCenter and VxRail manager may no longer trust each other's certificates, causing cluster upgrade failure. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

In VxRail version 8.0.300 to 8.0.331, during Day1 vLCM enablement, the VxRail manager certificate will be replaced by a VMCA-issued one. This replacement cannot be reverted to a self-signed certificate via VxRail plugin UI.

Later, if the vCenter root CA certificate changes, the vCenter and VxRail manager may no longer trust each other's certificates, causing cluster upgrade failure. You must follow this KB instruction to replace the VxRail Manager certificate with a self-signed certificate and import it to the vCenter trust store.

 

Note: This KB only applies to standard VxRail cluster, DO NOT use it in VCF on VxRail environment.

Cause

If the VxRail manager certificate is self-signed, the cluster upgrade process will automatically refresh the VxRail manager and vCenter trust store with their current certificates, to make sure they can trust each other.

But if the VxRail manager certificate is VMCA-signed, cluster upgrade process will not force to change it back to self-signed and refresh the trust stores, so if the vCenter root CA certificate is changed, vCenter and VxRail manager no longer trust each other's certificates, causing cluster upgrade failure.

Resolution

Revert the VxRail manager certificate to a self-signed one and import the updated vCenter root CA certificate into VxRail manager.

1. Login to VxRail Manager.
2. Run the following commands:

#cd /mystic/ssl

#mcp_python cert_util.py --regencert

#mcp_python cert_util.py

Note:

  • You will be prompted to enter the vCenter administrator credentials and the root account credentials if vLCM is enabled. 
  • The "--regencert" option first generates a self-signed VxRail manager certificate, then upload the new VxRail manager certificate into vCenter trust store.
  • The "cert_util.py" command without any parameter will import the vCenter root CA certificate into VxRail manager trust store.
  • After these two commands, the vCenter and VxRail manager can trust each other again with their updated certificates.

Additional Information

How to check if the VxRail Manager certificate is self-signed.

SSH to VxRail Manager and run:

   #openssl s_client -showcerts -connect localhost:443 < /dev/null 2>/dev/null |grep 'issuer=' | awk -F'issuer=' '{print $2}' 

   #openssl s_client -showcerts -connect localhost:443 < /dev/null 2>/dev/null |grep 'subject=' | awk -F'subject=' '{print $2}'

   Check the output. If the output is the same, it is a self-signed certificate.

 

Impacted Versions:

  • In VxRail version 8.0.300 to 8.0.331, during Day1 vLCM enablement the VxRail manager certificate may be replaced by a VMCA-issued one.
  • Versions prior to 8.0.300 are not affected as enable vLCM during Day1 is not available. 
  • Starting from version 8.0.360, enabling vLCM on Day 1 no longer triggers automatic replacement of the certificate with a VMCA-issued one, cluster upgrade will not hit this issue. 

Affected Products

VxRail, VxRail Appliance Series, VxRail Software
Article Properties
Article Number: 000190239
Article Type: Solution
Last Modified: 16 Oct 2025
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.