VxRail: Requirements for VxRail Manger SSL Certificate in an mTLS Enabled Cluster

Summary: After mTLS is enabled, the VxRail Manager SSL certificate must meet new requirements.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

User can follow the VxRail plugin UI function to replace the VxRail manager SSL certificate. The certificate must meet the below requirements to fulfill the VxRail security standard.

  1. The certificate must be x509 version 3.
  2. SubjectAltName must contain DNS Name=machine_FQDN or IP=machine_IP (only for Dimension case)
  3. Subject Key Identifier is required.
  4. The signature Algorithm in the whole certificate chain should be SHA256 or better.
  5. It is suggested (not mandatory) to use a public Certificate Authority (CA) or Corporate CA to sign the VxRail manager certificate. If the vLCM feature is enabled, follow 000190239 to check if the VxRail manager certificate is replaced with a vCenter signed certificate.
  6. Starting from VxRail 7.0.350 release, the SSL/TLS security of VxRail is enhanced. The new requirement of "Enhanced Key Usage" for VxRail manager SSL certificate is added. Follow the below steps to check the certificate "Enhanced Key Usage":

On Windows: Change the certificate file extension to crt then double-click the crt file and navigate to "Details" page.

  1. Below two cases are both considered as compliance case
    1. There is no "Enhanced Key Usage" segment. For example:
       Screenshot of certificate with no enhanced key usage 
       
    2. If there is "Enhanced Key Usage" segment, then "Server Authentication" and "Client Authentication" must be in the "Enhanced Key Usage" segment. For example:
      Screenshot showing enhanced key usage enabled 

On Linux: Run command: openssl x509 -in <target_cert> -noout -purpose

  1. Make sure both "SSL client" and "SSL server" value are "Yes".
$ openssl x509 -in <target_cert> -noout -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

 

Affected Products

VxRail, VxRail Appliance Series, VxRail Software
Article Properties
Article Number: 000194174
Article Type: How To
Last Modified: 08 Oct 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.