Changing IP address of Unity already registered as VASA storage provider.
Changing vCenter in Unity for which Unity acts as VASA storage provider.
Following the certificate renewal on vCenter, when trying to setup the VASA storage provider once again, the following error is reported on the Storage side:
Failed: The imported certificate cannot be save. (Error Code:0x600944)
Rollback Result: Task was rolled back and marked as failed. This is because some tasks failed or SP rebooted during task execution. (Error Code:0x100a)
When trying to register Unity as VASA storage provider, the following error is received:
The "Register new storage provider" operation failed for the entity with the following error message.
The provider certificate is invalid. It is either empty, malformed, expired, not yet valid, revoked, or fails host name verification.
Below is the procedure to get new certificates generated from Unity so that it can be added as VASA storage provider from vSphere:
- Log in to Unity CLI (use service account).
- View existing certificates on Unity for VASA using below command:
uemcli -u local/admin -p <password of Unity admin account> /sys/cert show -detail
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert show -detail
1: ID = vasa_http-vc1-cacert-1
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-1
Trust anchor = Yes
Version = 3
Serial number = XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2019-09-23 12:15:08
Valid to = 2029-09-20 12:15:08
Subject name = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:example@vmware.com, IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Private key available = No
2: ID = vasa_http-vc1-servercert-1
Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = Yes
Version = 3
Serial number =XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-02-24 08:59:13
Valid to = 2022-02-25 08:59:13
Subject name = CN=EMC VASA Vendor Provider
Subject alternative name = IP Address:10.xx.xx.xx <<<<< Unity Management IP will be present here.
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Private key available = Yes
- Delete all the present certificates one by one using below command:
uemcli -u local/admin -p <password of Unity admin account> /sys/cert -id <value> delete
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert -id vasa_http-vc1-servercert-1 delete
Operation completed successfully.
Note: There should be one default cert on the Unity that cannot be deleted. When trying to delete it, you would encounter the below error. This error can be safely ignored:
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert -id vasa_http-vc1-servercert-1 delete
Operation failed. Error code: 0x6000940
The certificate does not exist. (Error Code:0x6000940)
- Add Unity as VASA storage provider on vSphere.
Additional Notes:
There is an exception that when the certificate is expired, and after you delete the vasa_http-vc1-servercert-1 on Unity, the default certificate "valid to" will go back to 1970-01-01.This may prevent from re-registering the storage provider by returning certificate error.
In some instances, when trying to renew the connection after renewing the certificate on the Unity and vCenter, and confirming that valid certificates are valid and present on both services, the system may still fail to update the VASA connectivity. vCenter may indicate that it is unable to import the certificate from the Unity array.
If you experience one of these issues, contact Dell Technical Support or your Service Provider and quote this Knowledgebase article as reference.
Example of above procedure:
log in as: service
View existing certificates
uemcli -d 10.xx.xxx.xx -u local/admin -p XXX /sys/cert -service VASA_HTTP show -detail
Storage system address: 10.xx.xxx.xx
Storage system port: 443
HTTPS connection
1: Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-2
Trust anchor = Yes
Version = 3
Serial number = XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = XXXXX
Valid from = 2016-09-19 12:04:02
Valid to = 2026-09-17 12:04:02
Subject name = XXXX
Subject alternative name = XXXX, IP Address:120.x.x.x
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Private key available = No
2: Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = XXXX
Valid from = 2016-09-21 13:13:35
Valid to = 1970-01-01 00:00:00 >>>>>>>>>>>>>> this might prevent from adding storage provider from vsphere because the certificate is invalid
Subject name =
Subject alternative name =
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint =
Private key available = Yes
- Delete first certificate:
uemcli -d 10.xx.xxx.xx -u local/admin -p XXX /sys/cert -id vasa_http-vc1-cacert-2 delete
- Register Unity as VASA Storage provider from vSphere:
- In the vSphere Web Client home screen, click vCenter
- In the Inventory Lists, click vCenter Servers
- Select the vCenter Server in the left pane.
- Click the Manage tab in the right pane.
- Click Storage Provider in the right pane.
- Click on the green plus.