Home > Storage > PowerStore > Virtualization and Cloud > Dell PowerStore: Virtualization Integration > Certificate verification
Starting with PowerStoreOS 4.0, administrators have the option to verify the vCenter SSL certificate. This enables the administrator the ability to confirm that the certificate matches the one that is displayed in vCenter before allowing communication. It improves security by ensuring that PowerStore is communicating with the intended vCenter. This option is available during initial configuration and on already configured systems through the GUI, PSTCLI, and REST API.
The following figure shows the vCenter Server registration page with the Verify SSL server certificate checkbox.
Certificate verification is enabled by default and is highly recommended. When it is enabled, the vCenter certificate is retrieved and displayed, as shown in Figure 2. The administrator can review the certificate and confirm that it matches the certificate in vCenter. If the administrator confirms that the certificate matches, PowerStore stores a copy of the certificate, marks it as trusted, and allows communication. If the administrator notes that the certificate does not match, the system leaves the certificate untrusted, disallows communication, and the registration process is canceled.
The system also reviews the certificate’s details to ensure that they are valid. It checks to ensure that the Fully Qualified Domain Name (FQDN) or IP address matches, that the certificate’s start date has passed, that the expiration date has at least 30 days left, and so on. If any of these system checks fail, the connection is blocked due to an invalid certificate.
If certificate verification is disabled, the registration process proceeds without validating the certificate’s details and does not display the certificate to the administrator.
With certificate verification enabled, the vCenter certificate that is stored on PowerStore is used to compare to the one reported by the vCenter. However, normal operations such as certificate renewals can cause the vCenter certificate to change. If this happens, an alert is generated to inform the administrator that there is a certificate mismatch. If this is expected, the administrator can update the configuration to verify the new certificate.
If a PowerStore system with an already connected vCenter is upgraded to PowerStoreOS 4.0, certificate verification remains disabled. An alert is generated to inform the administrator that the connection is not secure. The administrator can update the configuration and enable certificate verification to clear the alert. If certificate verification is not desired (not recommended), you can enable/disable certificate verification or unregister/re-register the vCenter without certificate verification to clear the alert.
A vCenter registered with certificate verification enabled can be disconnected from PowerStore. When the vCenter is disconnected, the stored certificate is removed and is no longer trusted. Communication with this vCenter is no longer allowed. If desired, an administrator can connect PowerStore to the same vCenter again later using the same workflow as a new vCenter connection.