vasa certs - can they just be removed?
Can someone shed some light on this as it seems overly complex (or at least the docs weave an incorrect thread). Just trying to make sense of whether the VASA certs are or aren't needed for anything...
Forum Discussion
alex_carver passed this along to me
Quick answer: Yes you can delete the VASA certs safely if vVols is no longer in use on the array. You probably want to reset the cert after deleting the current one so you don't get the vasa alert/warning.
Longer answer: There are a couple parts to this. The first part is that the vasa service runs on the array as part of Purity. There are default certs for both ct0 and ct1 that are there when Purity starts up for the first time. You won't see those certs show up in purecert though until storage providers are registered for the first time. However, if you stop using vVols on the array these certs stick around. Then if they aren't default certs anymore than VASA can't reset them. Which you end up getting that alert/warning hitting.
What should be the workflow if you are no longer using vVols then? First check to see what certs you have in use with "purecert list"
Here you can see that vVols is still being used in this example. So I would need to log into each of these vCenters and check if the storage providers are registered, if vVols DS are there, etc. If I check all of the vCenters and none of them are using vVols, then I can start cleaning it up.
In order to start deleting the certs I'll need to unlink the certs from "purevchost certificate list" and I can unlink them with "purevchost certificate remove" (I think that's the right syntax). Then I can clean up the vchosts (vcenter objects) and then delete the vasa certs with "purecert"
I would recommend resetting the vasa-ct0 and vasa-ct1 certs after deleting all of the existing ones. That way VASA can renew the default certs and you don't get those alarm/warnings triggering. The syntax should be "purecert self-signed create ... vasa-ct0" and then use the right flags for the cert. Then from that point forward you don't need to think about vasa or vasa certs. Now, you can still use vVols in the future by registering the storage providers, creating the vVol DS, etc. Maybe use it as a way to accelerate migrations to different platforms...
