NVP-vProxy: Registration Fails Due To Negative Integer Certificate

A newly deployed or upgraded vProxy fails to register with the NetWorker server.
Connections from the NetWorker server to port 9090 on the vProxy fail: nsrports -t vPROXY_HOSTNAME -p 9090
The vProxy REST API /opt/emc/vproxy/runtime/logs/vrapid/vrapid-engine.log shows:

2026-05-21T08:35:22Z INFO:   Setting up REST endpoints ...
2026-05-21T08:35:22Z INFO:   Checking if certificate and private key were provided during deployment phase.
2026-05-21T08:35:22Z INFO:   Certificate and private-key were not provided during deployment, proceeding as normal.
2026-05-21T08:35:22Z TRACE:  Setting up session REST endpoints.
2026-05-21T08:35:22Z INFO:   Listen on interface 0.0.0.0 port 9090
2026-05-21T08:35:22Z TRACE:  Using '/opt/emc/vproxy/runtime/trust/vproxyCert.pem' as the certificate.
2026-05-21T08:35:22Z TRACE:  Using '/opt/emc/vproxy/runtime/trust/vproxyKey.pem' as the key.
2026-05-21T08:35:22Z ERROR:  Unable to listen and serve REST requests: x509: negative serial number 
2026-05-21T08:35:22Z NOTICE: The REST server will automatically reset.
2026-05-21T08:35:22Z NOTICE: Please re-register the vProxy to the application server.
2026-05-21T08:35:22Z INFO:   The state of the vProxy is: MAINTENANCE
2026-05-21T08:35:22Z TRACE:  Changing state from MAINTENANCE to RESET
2026/05/21 09:35:22 Writing state RESET to /opt/emc/vproxy/runtime/state/vProxyState.dat

The TLS certificate that vrapid is trying to use is invalid (negative serial number), causing the vrapid service startup to fail. Without vrapid and valid TLS certificate, the registration cannot succeed.
This is unexpected behavior and the cause for why the certificate was generated with a negative serial number is not known.

Workaround:

1. Delete the vProxy from the NMC (if it exists). If the vProxy is not currently added to NetWorker, move on to the next step.
2. Open an SSH session to the vProxy, log in as admin, then switch to root: sudo su -
3. Ensure that the vrapid is stopped:

systemctl stop vrapid
systemctl status vrapid

3. Rename or remove the vProxies self-signed certificate:

mv /opt/emc/vproxy/runtime/trust/$(hostname -f).CA*.pem ~/
mv /opt/emc/vproxy/runtime/trust/$(hostname).CA*.pem ~/
mv /opt/emc/vproxy/runtime/trust/vproxy*.pem ~/

4. Re-create the vProxy certificate with a positive serial number:

openssl req -x509 -newkey rsa:3072 -keyout /opt/emc/vproxy/runtime/trust/vproxyKey.pem -out /opt/emc/vproxy/runtime/trust/vproxyCert.pem -days 3650 -nodes -subj "/CN=$(hostname -f)" -set_serial 0x01

5. Create a copy of the vProxyState.dat file:

cp /opt/emc/vproxy/runtime/state/vProxyState.dat /opt/emc/vproxy/runtime/state/vProxyState.dat_$(date -I)

6. Create a copy of the vProxyRegistry.dat file:

cp /opt/emc/vproxy/runtime/state/vProxyRegistry.dat /opt/emc/vproxy/runtime/state/vProxyRegistry.dat_$(date -I)

7. Force the vProxy into an unregistered state: 

echo UNREGISTERED > /opt/emc/vproxy/runtime/state/vProxyState.dat

8. Remove the NetWorker server from the vProxyRegistry.dat file:

sed -i 's/"BackupServerName":"[^"]*"/"BackupServerName":""/' /opt/emc/vproxy/runtime/state/vProxyRegistry.dat

9. Start the vrapid service: 

systemctl start vrapid
systemctl status vrapid

10. From the NetWorker Management Console (NMC) or NetWorker Web User Interface (NWUI) add the vProxy back to the NetWorker server.
11. Monitor the Log window or NetWorker server daemon.raw for successful vProxy registration:

• Linux: /nsr/logs/daemon.raw
• Windows (Default): C:\Program Files\EMC NetWorker\nsr\logs\daemon.raw
• NetWorker: How to use nsr_render_log to render .raw log files

• NVP vProxy: How To Unregister/Re-Register a vProxy Appliance
• NVP vProxy: Troubleshooting Network Connectivity For Backup and Restore Operations