A "Certificate Expired" error message is encountered within the VMware vCenter Server user interface when attempting to manage or renew a vSphere APIs for Storage Awareness (VASA) Provider.

Specifically, when the VASA Provider is already in an expired state, selecting the "Refresh Certificate" option fails to process the renewal and immediately returns a "Certificate expired" exception.

• VMware vCenter Server 7.x 
• VMware vCenter Server 8.x 

Once a VASA storage provider certificate reaches its expiration date, the mutual trust established between the vCenter Server and the storage array is broken. Because the existing connection is no longer trusted, the VMware Certificate Authority (VMCA) is incapable of pushing a new certificate to the endpoint. Consequently, vCenter cannot automate the renewal process from its side, and the certificate must be manually removed or regenerated directly on the storage array infrastructure.

Although the original certificate was provisioned and signed by the VMCA, native vCenter renewal capabilities cannot bypass the expired trust state. The following procedure must be executed to restore VASA provider functionality:

1. Create an offline snapshot or a file-based backup of the vCenter Server appliance prior to initiating any configuration changes.
2. Navigate to the Storage Providers section in vCenter and record the exact VASA Provider URL currently associated with the expired certificate.
3. Consult the respective storage vendor's documentation or support channels to remove the expired VMCA-signed certificate from the storage array. The array must be reconfigured to present its default or self-signed certificate.
4. Specific procedures vary by manufacturer. For example, Dell provides dedicated documentation (e.g., KB 000190731) detailing the certificate reset process for PowerStore arrays.
5. Confirm that the storage system has successfully reverted to a default or self-signed certificate. This validation can be performed by accessing the VASA Provider URL recorded in Step 2 via a secure web browser, or by utilizing command-line utility tools such as wget or openssl s_client to inspect the newly presented certificate chain.
6. Once the new self-signed certificate is verified on the storage array, return to the vCenter Server user interface and add the VASA Provider back into the Storage Providers configuration.

This action forces a fresh registration, prompting the VMCA to issue a new, valid certificate to re-establish secure communications with the array.