In the VMware Cloud Foundation (VCF) Operations (OPS) UI, an alert is triggered indicating that the certificate of a vVol VASA Provider registered to vCenter (SPS/SMS) is nearing expiration or has already expired.
If the certificate is allowed to expire, communication between vCenter and the VASA Provider will fail. This disrupts storage functionality and renders vVol datastores unusable for any storage provisioning operations.

VMware vSphere 8.x / 9.x
VMware Cloud Foundation (VCF) 5.x / 9.x
vSphere Virtual Volumes (vVols)

When a VASA Provider (VP) is registered to vCenter (SMS), certificate management depends on the retainVasaProviderCertificate flag:

• When set to False: vSphere Storage Policy Based Management (SPS) provisions a VMCA-signed certificate and handles auto-renewal. SPS automatically attempts to renew the VP certificate well before it expires (as soon as it reaches its internal soft limit). No alerts are generated during this initial automated renewal phase.
• When set to True: The VASA Provider manages its own certificate. SPS stores the certificate (if self-signed) to establish trust, but does not handle its lifecycle or auto-renewal.

An alert is triggered when a VP certificate enters the "near expiry" window (defaulting to 30 days prior to expiration) or has already expired, regardless of the retainVasaProviderCertificate setting.

Administrator intervention is required to resolve the alert in two scenarios:

• The VASA Provider manages its own certificate (retain=True), meaning SPS cannot auto-renew it.
• vCenter manages the certificate (retain=False), but the automated renewal process encountered an unexpected issue and failed, pushing the certificate into the 30-day "near expiry" alert window.

The resolution steps depend on how the VASA Provider certificate is managed.

Scenario A:

• The VASA Provider manages its own certificate (retainVasaProviderCertificate = True)
  • First, consult your respective storage vendor's documentation or support channels to renew the VASA Provider certificate on the storage array side. Once renewed on the array, follow the steps below based on the type of certificate used:
  • If the VP uses a Self-Signed Certificate:
  • Once the new self-signed certificate is renewed and verified on the storage array, return to the vCenter Server user interface.
    Remove the VASA Provider from the Storage Providers configuration, and then re-add it to establish trust with the new self-signed certificate.

• If the VP uses a Third-Party CA-Signed Certificate:
  • If nearing expiry: No immediate vCenter action is strictly required after renewing on the array, but see the note on false positives below.
  • If already expired: Authentication between vCenter (SMS) and the VASA Provider is broken. You must explicitly fix this by using the "Re-authenticate vCenter" option in the VASA Provider UI.
  • Note on False Positives: SPS updates the provider certificate on its side via a background thread that runs once a day by default. After you update the certificate on the storage array, the VCF OPS UI may continue to show the alert until this background sync occurs. Once SPS fetches and persists the latest certificate, the false-positive alerts will stop. Using the "Re-authenticate vCenter" option forces vCenter to fetch and update the VP certificate immediately (which is mandatory if the certificate has already expired).

Scenario B: vCenter manages the certificate (retainVasaProviderCertificate = False)

• If nearing expiry: If the certificate is nearing expiration but has not yet expired, use the "Refresh certificate" option in the VASA Provider UI to manually trigger the renewal. If the "Refresh certificate" operation fails, use the "Re-authenticate vCenter" option.
• If already expired: If the certificate has already expired, use the "Re-authenticate vCenter" option in the VASA Provider UI to restore trust and generate a new certificate.