AFAIK, the certificate used in VASA (Storage Providers/IOFILTER) is (and should be) identical to the certificate used on host. If the certificate on the host (e.g vSphere Client > host > Configure > System > Certificate) is actually valid, the VASA should display the same certificate information (e.g. same expiration date).
If the certificate is actually expired, you can (first) renew the host certificate (default from VMCA/built-in from vCenter), by using vSphere Client > Host > Configure > System > Certificate and by selecting "Renew".
If the host certificate is not expired, but **not showing identical information** under Storage Providers (VASA) > Certificate Info, you can just remove and refresh the VasaProvider (which will refresh the outdated information):
A quick and simple way to do this using PowerShell/PowerCLI (my preferred method), is e.g.
```powershell
Get-VasaProvider | Where-Object url -like "*esx-1337*" | ft status,id,url
```
Check all providers by just issuing Get-VasaProvider
Then just go into vCenter > Configure > Storage Providers, and select "Synchronize Storage Providers". The provider should automatically re-register the provider, and use the same certificate information (see the IOFilter Provider details > Certificate Info), as displayed under "host > configure > system > certificate".
Alternatively, there is (was)? and old VMware KB, which follows a rather long and complicated procedure using MOB and "QueryStorageManager" to query alle the storage providers, match the provider ID, and unregistering it. Refer to previous KB [Remove VASA Provider from the vSphere Storage Monitoring Service (SMS) mob (56619)](https://kb.vmware.com/s/article/56619) <- Note that since the link is rather broken now (thanks for that Broadcom), you may need to retrieve it using cache/archive.org (also down ATM/of this writing), etc. (or I have the full webclip, if needed).
Anyways, I'd opt for using PowerCLI, if possible.
Tip: If all the providers are "OFFLINE" anyways, you can remove them all by filtering for status offline, e.g.
```powershell
Get-VasaProvider | Where-Object status -eq "offline" | Remove-VasaProvider
```
Then synchronize them again using steps mentioned above.
(pro)tip: You could also verify certificates being used by using e.g. openssl and s_client, e.g. comparing the certificates (again, should be identical) from e.g.:
```
openssl s_client -connect localhost:9080
openssl s_client -connect localhost:443
```
(9080 being the VASA service/cert and 443 being the regular ESXi certificate).
Update: Here is a link to another blog post regarding the same steps: https://carvertown.com/how-to-refresh-vasa-certificates-with-vsphere-7-0/
Original Message:
Sent: May 23, 2024 02:22 PM
From: Joel Finger
Subject: Storage Providers / IOFILTER
I recently noticed I have a bunch of hosts showing in Storage Filters with either expired or expiring certificates that cannot be renewed. These IOFILTERS are showing offline. Well, I figured out why they are offline - the certificate issuer is the external PSC that got retired when our org moved to vCenter 7. I know I can install fresh ESXi on a host and it will connect without issue. I would like to avoid having to reload hosts in order for this issue to go away. Eventually, I am planning on migrating hosts to a new vCenter v8 environment at which time all hosts are going to have an issue with the original certificate issuer.
Thanks in advance.