Metro node SolVe Generator
Version: 1.0.3.10 Generated on July 28 2025 09:30 AM
Topic
Metro node Admin Procedures
Selections
Metro node Admin Procedures: Manage
Metro node Management Procedures: Change the SSL certificate
If you find any errors in this procedure or have comments regarding this application, send
email to SolVeFeedback@dell.com
Copyright © 2025 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are
trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the
information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
This document may contain certain words that are not consistent with Dell's current language guidelines. Dell plans to update the
document over subsequent future releases to revise these words accordingly.
This document may contain language from third party content that is not under Dell's control and is not consistent with Dell's current
guidelines for Dell's own content. When such third party content is updated by the relevant third parties, this document will be revised
accordingly.
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 1 of 9
� Contents
Preliminary Activity Tasks .......................................................................................................3
Read, understand, and perform these tasks.................................................................................................3
Change the SSL certificate ...........................................................................................................................4
Change the SSL certificates for self_signed .................................................................................................4
Change the SSL certificate for cust_signed..................................................................................................6
Reset SSL Certificates..................................................................................................................................8
Renew self-signed SSL certificates ..............................................................................................................9
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 2 of 9
�Preliminary Activity Tasks
This section may contain tasks that you must complete before performing this procedure.
Read, understand, and perform these tasks
1. Table 1 lists tasks, cautions, warnings, notes, and/or knowledgebase (KB) solutions that you need to
be aware of before performing this activity. Read, understand, and when necessary perform any
tasks contained in this table and any tasks contained in any associated knowledgebase solution.
Table 1 List of cautions, warnings, notes, and/or KB solutions related to this activity
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 3 of 9
�Change the SSL certificate
System configuration installs self-signed SSL certificate in the metro node during initial system
configuration. This command can be used to change the default self-signed SSL certificates to customer-
signed SSL certificates in all the directors. This command can also be used to renew self-signed SSL
certificates in all the directors by extending the expiry time during the interview session of the command.
If you run the command in director-1-1-A, the changes to the certificates are applicable to all the
directors.
Follow the procedure below to change the SSL certificate.
Change the SSL certificates for self_signed
To change or update the SSL certification of the current cluster, use the following steps:
WARNING: Running the vplex_system_config --start or vplex_system_config -s
command on an already configured system stops the node firmware, causing a Total Cluster
Outage.
NOTE:
• Check with the Metro node administrator for the service password as it would have been
changed during installation and might have changed further after.
• Run this command in one node, and the changes are reflected in all the node.
1. Log in as service user with the credentials in one of the directors of the metro node.
2. Run the command with the following options for show and update SSL certificates details
(updates SCIF and run the playbook with ssl_certificates):
a. To show SSL certificate information: Run vplex_system_config -i --show-ssl-certificates
service@director-1-1-a:~> vplex_system_config -i --show-ssl-certificates
Certificates details
ca:
algo_type : rsa
expiry_days : 1825
key_length : 2048
cert_type: self_signed
host:
algo_type : rsa
expiry_days : 730
key_length : 2048
b. To update the certificates: Run vplex_system_config -i --update-ssl-certificates
service@director-1-1-a:~> vplex_system_config -i --update-ssl-certificates
Taking backup of existing SCIF has been started...
Taking backup of existing SCIF has been completed.
Update SSL certificates process is started...
Enter SSL certificates details:
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 4 of 9
� Types of certificate configurations supported.
1. self_signed
2. cust_signed
Please select your certificate type. (default:
self_signed):
CA Expiry Days (default: 1825):
CA Key Length (default: 2048):
CA Algo Type (default: rsa):
Host Expiry Days (default: 730):
Host Key Length (default: 2048):
Host Algo Type (default: rsa):
TASK: Gathering Facts - PASS
TASK: Validating if the default values are changed - PASS
.
.
.
TASK: Deleting ca_cert and ca_key temp files - PASS
TASK: Restarting the nginx service - PASS
TASK: Deleting certificate backup directory - PASS
TASK: Checking nsfw status - PASS
TASK: Generating host certificate request
Failed and Rescued (continue with next tasks): director-1-1-B|8K12Z23
Failed and Rescued (continue with next tasks): director-1-1-A|8K13Z23
Failed and Rescued (continue with next tasks): director-2-1-B|8K10Z23
Failed and Rescued (continue with next tasks): director-2-1-A|8K15Z23
PLAY RECAP
*******************************************************************************
*******************************************************************
director-1-1-A|8K13Z23 : ok=31 changed=11 unreachable=0 failed=0
skipped=7 rescued=1 ignored=0
director-1-1-B|8K12Z23 : ok=35 changed=10 unreachable=0 failed=0
skipped=7 rescued=1 ignored=0
director-2-1-A|8K15Z23 : ok=31 changed=10 unreachable=0 failed=0
skipped=7 rescued=1 ignored=0
director-2-1-B|8K10Z23 : ok=31 changed=10 unreachable=0 failed=0
skipped=7 rescued=1 ignored=0
System configuration process for update SSL certificates is successful
service@director-1-1-a:~>
c. To check certificate details: Run vplex_system_config -i --show-ssl-certificates
service@director-1-1-a:~> vplex_system_config -i --show-ssl-certificates
Certificates details
ca:
algo_type : rsa
expiry_days : 1825
key_length : 2048
cert_type: self_signed
host:
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 5 of 9
� algo_type : rsa
expiry_days : 1825
key_length : 2048
service@director-1-1-a:~>
Change the SSL certificate for cust_signed
WARNING: Running the vplex_system_config --start or vplex_system_config -s
command on an already configured system stops the node firmware, causing a Total Cluster
Outage.
For cust_signed SSL certificates (import type), import the certificates at /home/service/ this location with
the following names:
• /home/service/director-1-1-A.crt- host-1-1-A certificates
• /home/service/director-1-1-A.key- host-1-1-A key certificates
• /home/service/ca.crt - ca certificates
• /home/service/director-1-1-B.crt - host-1-1-B certificates
• /home/service/director-1-1-B.key - host-1-1-B key certificates
• /home/service/director-2-1-B.crt - host-2-1-B certificates
• /home/service/director-2-1-B.key - host-2-1-B key certificates
• /home/service/director-2-1-A.crt- host-2-1-A certificates
• /home/service/director-2-1-A.key- host-2-1-A key certificates
After updating the certificates, run the command service@director-1-1-a:~>
vplex_system_config -i --update-ssl-certificates
NOTE: Enter the passphrase key which is used to create the certificates.
1. Log in as service user with the credentials in one of the directors of the metro node.
2. Run the command with the following options to show and update SSL certificates details
(updates SCIF and run the playbook with ssl_certificates):
a. To show certificate information for custom-signed certificates: Run vplex_system_config
-i --show-ssl-certificates
service@director-1-1-a:~> vplex_system_config -i --show-ssl-certificates
Certificates details
cert_type: cust_signed
passphrase_key: oldstrongswan
service@director-1-1-a:~>
b. To update custom-signed certificates: Run vplex_system_config -i --update-ssl-
certificates
service@director-1-1-a:~> vplex_system_config -i --update-ssl-certificates
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 6 of 9
�Taking backup of existing SCIF has been started...
Taking backup of existing SCIF has been completed.
Update SSL certificates process is started...
Enter SSL certificates details:
Types of certificate configurations supported.
1. self_signed
2. cust_signed
Please select your certificate type. (default:
cust_signed):
Please make sure you have uploaded the following
certificates:
i.e.. ca.crt
director-1-1-B.crt
director-1-1-B.key
director-1-1-A.crt
director-1-1-A.key
director-2-1-B.crt
director-2-1-B.key
director-2-1-A.crt
director-2-1-A.key are required.
If the certificate is signed directly by the root
certificate, then the ca.crt is the root CA certificate.
If the certificate is signed by an intermediate
certificate, then ca.crt is the complete certificate chain.
Do you want to proceed? (default: y):
Checking the availability of certificates...
director-1-1-B.crt certificate is available.
director-1-1-B.key certificate is available.
director-1-1-A.crt certificate is available.
director-1-1-A.key certificate is available.
director-2-1-B.crt certificate is available.
director-2-1-B.key certificate is available.
director-2-1-A.crt certificate is available.
director-2-1-A.key certificate is available.
ca.crt certificate is available.
please enter passphrase key:
Validating the certs and private key started...
Validating the certs and private key completed...
TASK: Gathering Facts - PASS
TASK: Find SSL certs files - PASS
TASK: Find SSL certs files permission - PASS
TASK: Copy SSL certs from current node to all nodes - PASS
TASK: Validate node certs with ca cert - PASS
.
.
.
TASK: Generating truststore - PASS
TASK: Assemble from fragments from a directory - PASS
TASK: Generating the keystore - PASS
TASK: Restarting the nginx service - PASS
TASK: Checking nsfw status - PASS
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 7 of 9
� PLAY RECAP
*******************************************************************************
**********************************************************************
director-1-1-A|8K13Z23 : ok=20 changed=6 unreachable=0 failed=0
skipped=14 rescued=0 ignored=0
director-1-1-B|8K12Z23 : ok=24 changed=6 unreachable=0 failed=0
skipped=15 rescued=0 ignored=0
director-2-1-A|8K15Z23 : ok=20 changed=6 unreachable=0 failed=0
skipped=14 rescued=0 ignored=0
director-2-1-B|8K10Z23 : ok=20 changed=6 unreachable=0 failed=0
skipped=14 rescued=0 ignored=0
System configuration process for update SSL certificates is successful
service@director-1-1-a:~>
c. To check custom signed certificate details: Run vplex_system_config -i --show-ssl-
certificates
service@director-1-1-a:~> vplex_system_config -i --show-ssl-certificates
Certificates details
cert_type: cust_signed
passphrase_key: newstrongswan
service@director-1-1-a:~>
Reset SSL Certificates
Steps
1. Log in as a service user with the credentials in one of the nodes.
2. Run the command vplex_system_config -i --reset-ssl-certificates.
Output:
service@director-1-1-a:~> vplex_system_config --reset-ssl-certificates
WARNING !!!
Running this command will reset the ssl_certificates parameters from the metro node.
Do you really want to continue?
Please type 'yes' to proceed or 'no' to exit:
yes
Starting the system configuration process for reset ssl_certificates tasks...
TASK: deleting certificates files from ansible - PASS
PLAY RECAP
**************************************************************************************
************************************************************
director-1-1-A|8K13Z23 : ok=2 changed=1 unreachable=0 failed=0
skipped=3 rescued=0 ignored=0
director-1-1-B|8K12Z23 : ok=2 changed=1 unreachable=0 failed=0
skipped=3 rescued=0 ignored=0
director-2-1-A|8K15Z23 : ok=2 changed=1 unreachable=0 failed=0
skipped=3 rescued=0 ignored=0
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 8 of 9
� director-2-1-B|8K10Z23 : ok=2 changed=1 unreachable=0 failed=0
skipped=3 rescued=0 ignored=0
System configuration process for reset SSL certificates is successful
service@director-1-1-a:~>
Renew self-signed SSL certificates
WARNING: Running the vplex_system_config --start or vplex_system_config -s
command on an already configured system stops the node firmware, causing a Total Cluster
Outage.
In self-signed certificates, there is a role of Ansible for renewal which cron job triggers automatically. The
SSL certificate gets renewed when the expiry date is less than 14 days.
To trigger the certificate renewal, services vplex-node-ssl-renewal.service and vplex-node-ssl-
renewal.timer are created. These services start when the vplex-node.target invokes (vplex-node.target
invokes during phase2 process). The vplex-node-ssl-renewal.timer triggers every day at 00:00:00 hours
and invokes vplex-node-ssl-renewal.service. The vplex-node-ssl-renewal.service performs the python
script which validates the expiry of the SSL certificate. If the validity is less than 14 days from the current
date, then the certificate renews through invoking the Ansible playbook.
service@director-1-1-a:~> sudo systemctl status vplex-node-ssl-renewal.timer
● vplex-node-ssl-renewal.timer - Execute ssl renewal service once in a day[Timer]
Loaded: loaded (/usr/lib/systemd/system/vplex-node-ssl-renewal.timer; enabled; vendor
preset: enabled)
Active: active (waiting) since Thu 2020-11-12 11:22:24 UTC; 18h ago
Trigger: Sat 2020-11-14 00:00:00 UTC; 17h left
Nov 12 11:22:24 localhost systemd[1]: Started Execute ssl renewal service once in a
day[Timer].
service@director-1-1-a:~> sudo systemctl status vplex-node-ssl-renewal.service
● vplex-node-ssl-renewal.service - ssl certificate renewal
Loaded: loaded (/usr/lib/systemd/system/vplex-node-ssl-renewal.service; enabled; vendor
preset: enabled)
Active: inactive (dead) since Fri 2020-11-13 00:00:06 UTC; 6h ago
Process: 18788 ExecStart=/usr/bin/python3
/opt/dell/vplex/lib/python/vplexsetup/ssl_renewal.py (code=exited, status=0/>
Main PID: 18788 (code=exited, status=0/SUCCESS)
Nov 13 00:00:06 director-1-1-a systemd[1]: Started ssl certificate renewal.
Nov 13 00:00:06 director-1-1-a python3[18788]: SSL certificate renewed successfully!
NOTE: In import certificates, user gets the warnings to renew their certificates 14 days before.
Dell Technologies – Restricted Use – Confidential & Subject to NDA
Page 9 of 9
