https://community.netapp.com/t5/VMware-Solutions-Discussions/VSC-6-0-SSL-Cert-replacement/m-p/119496#M8634 <P>Not sure where to file a case on this.</P><P>&nbsp;</P><P>There are no clear instructions on how to replace the self-signed SSL certificates in VSC, with CA-signed ones.&nbsp; I'm using VSC for vSphere 6.2P1, with a Linux-based VCSA and ESXi versions 6.0U2.&nbsp; Also, cDOT NAS datastores, running 8.2.4P2.<BR /><BR />The VSC manual, <A href="https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569" target="_blank">https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569</A> , page 49, says that the certificate must be signed with SHA1.<BR />With SHA1 being deprecated, this is a bug that VSC should be addressing SOON.<BR /><BR />If you use <A href="https://kb.netapp.com/support/index?page=content&amp;id=1013807," target="_blank">https://kb.netapp.com/support/index?page=content&amp;id=1013807,</A> from the 4.x era, it describes a process which somewhat works.&nbsp; At least, I am able to follow it and add certs and get VSC to boot again.&nbsp; However, it doesn't mention the SHA1 limitation, because of its age.<BR /><BR />There's also <A href="https://kb.netapp.com/support/index?page=content&amp;id=1014445," target="_blank">https://kb.netapp.com/support/index?page=content&amp;id=1014445,</A> which does not mention age of software.&nbsp; It follows a vastly different process.&nbsp; This seems unnecessary at best, but confusing.<BR /><BR />Having installed the CA certificate, VSC SEEMS to work, SHA1 and all.&nbsp; However, it's a lurking problem.<BR />VSC can send mail about issues.&nbsp; Those emails end in a note that says:<BR />&nbsp; You can view the log entries at https://[fe80:0:0:0:0:5efe:a16:879%net3]:8043/smvi/logViewer?id=backup_All-VMs_20160519212800.<BR /><BR />1) I'm not sure why, but it's giving an IPv6 address.&nbsp; Is there a place to change this?&nbsp; I have to manually rewrite it to a hostname based on my own knowledge of the windows box's name.<BR />2) The SSL cert on port 8043 is NOT the replaced one, it's a self-signed one.&nbsp; Even if VSC is willing to accept talking over insecure connections from plugin to software, web browsers aren't happy with them.<BR /><BR /><BR />So, summarizing:<BR />1) VSC uses SHA1 certs.&nbsp; This is a bug.<BR />2) VSC has no clear documentation of how to replace SSL certs for port 8143 with CA-signed ones in the 6.x world; the 4.x instructions APPEAR to work, but, this is a guess.<BR />3) VSC has no documentation of how to replace SSL certs for port 8043 with CA-signed ones in the 6.x world.<BR />4) SMVI mails have an IPv6 hostname, but no clear way to change it.<BR /><BR />Anyone run into this?</P> Wed, 04 Jun 2025 20:51:19 GMT FULLSTEAM 2025-06-04T20:51:19Z https://community.netapp.com/t5/VMware-Solutions-Discussions/VSC-6-0-SSL-Cert-replacement/m-p/119496#M8634 <P>Not sure where to file a case on this.</P><P>&nbsp;</P><P>There are no clear instructions on how to replace the self-signed SSL certificates in VSC, with CA-signed ones.&nbsp; I'm using VSC for vSphere 6.2P1, with a Linux-based VCSA and ESXi versions 6.0U2.&nbsp; Also, cDOT NAS datastores, running 8.2.4P2.<BR /><BR />The VSC manual, <A href="https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569" target="_blank">https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569</A> , page 49, says that the certificate must be signed with SHA1.<BR />With SHA1 being deprecated, this is a bug that VSC should be addressing SOON.<BR /><BR />If you use <A href="https://kb.netapp.com/support/index?page=content&amp;id=1013807," target="_blank">https://kb.netapp.com/support/index?page=content&amp;id=1013807,</A> from the 4.x era, it describes a process which somewhat works.&nbsp; At least, I am able to follow it and add certs and get VSC to boot again.&nbsp; However, it doesn't mention the SHA1 limitation, because of its age.<BR /><BR />There's also <A href="https://kb.netapp.com/support/index?page=content&amp;id=1014445," target="_blank">https://kb.netapp.com/support/index?page=content&amp;id=1014445,</A> which does not mention age of software.&nbsp; It follows a vastly different process.&nbsp; This seems unnecessary at best, but confusing.<BR /><BR />Having installed the CA certificate, VSC SEEMS to work, SHA1 and all.&nbsp; However, it's a lurking problem.<BR />VSC can send mail about issues.&nbsp; Those emails end in a note that says:<BR />&nbsp; You can view the log entries at https://[fe80:0:0:0:0:5efe:a16:879%net3]:8043/smvi/logViewer?id=backup_All-VMs_20160519212800.<BR /><BR />1) I'm not sure why, but it's giving an IPv6 address.&nbsp; Is there a place to change this?&nbsp; I have to manually rewrite it to a hostname based on my own knowledge of the windows box's name.<BR />2) The SSL cert on port 8043 is NOT the replaced one, it's a self-signed one.&nbsp; Even if VSC is willing to accept talking over insecure connections from plugin to software, web browsers aren't happy with them.<BR /><BR /><BR />So, summarizing:<BR />1) VSC uses SHA1 certs.&nbsp; This is a bug.<BR />2) VSC has no clear documentation of how to replace SSL certs for port 8143 with CA-signed ones in the 6.x world; the 4.x instructions APPEAR to work, but, this is a guess.<BR />3) VSC has no documentation of how to replace SSL certs for port 8043 with CA-signed ones in the 6.x world.<BR />4) SMVI mails have an IPv6 hostname, but no clear way to change it.<BR /><BR />Anyone run into this?</P> Wed, 04 Jun 2025 20:51:19 GMT https://community.netapp.com/t5/VMware-Solutions-Discussions/VSC-6-0-SSL-Cert-replacement/m-p/119496#M8634 FULLSTEAM 2025-06-04T20:51:19Z