Documentation Index

Fetch the complete documentation index at: https://kb.vastdata.com/llms.txt

Use this file to discover all available pages before exploring further.

Enabling Client Certificate Validation for VMS Clients

  • Updated on Jun 16, 2026
  • Published on Jan 27, 2026
  • 1 minute(s) read
Prev Next

The VMS can be configured to require clients invoking the VMS REST API to present a client certificate. The requirement applies to any client connections used to make REST API calls to the VMS, including those used for accessing the VAST Web UI.

To configure client certificate validation for VMS REST API calls, obtain a CA certificate (and a key) and upload it to VMS as the VMS mTLS certificate.

After uploading the VMS mTLS certificate, the clients are expected to present the same certificate as the one uploaded to the VMS, or a certificate signed by the uploaded root certificate.

Uploading a VMS mTLS Certificate via VAST Web UI

To upload a VMS mTLS certificate via VAST Web UI:

  1. From the left navigation menu, select Settings and then Certificates to open the Certificates tab.

  2. From the Certificate for dropdown, select VMS mTLS Auth.

  3. Either paste the certificate file contents into the Certificate field or use the Upload button to upload the file, and paste or upload the key file content into the Key field.

    When pasting the file content, include the "BEGIN CERTIFICATE", "END CERTIFICATE", "BEGIN PRIVATE KEY" and "END PRIVATE KEY" lines:

    -----BEGIN CERTIFICATE-----
<Certificate file content>
-----END CERTIFICATE----------
    -----BEGIN PRIVATE KEY-----
<Key file content>
-----END PRIVATE KEY-----

  4. Click Update.

Uploading a VMS mTLS Certificate via VAST CLI

To upload a VMS mTLS certificate via VAST CLI:

  1. Run the vms set_client_certificate command:

    vcli: admin> vms set_client_certificate --id 1 
Please enter certificate AND private key (ALT+ENTER/option+ENTER to finish):

  2. Enter the certificate and key content one after the other, including the "BEGIN CERTIFICATE", "END CERTIFICATE", "BEGIN PRIVATE KEY" and "END PRIVATE KEY" lines:

    -----BEGIN CERTIFICATE-----
<Certificate file content>
-----END CERTIFICATE----------
-----BEGIN PRIVATE KEY-----
<Key file content>
-----END PRIVATE KEY-----

Removing a VMS mTLS Certificate via VAST Web UI

To remove an uploaded VMS mTLS certificate:

  1. From the left navigation menu, select Settings and then Certificates to open the Certificates tab.

  2. From the Certificate for dropdown, select mTLS.

  3. Click Remove.

Removing a VMS mTLS Certificate via VAST CLI

To remove a VMS mTLS certificate via VAST CLI, run the vms remove_client_certificate command.

vcli: admin> vms remove_client_certificate
This action will remove the client certificate from vms,
vms will no longer verify client requests after that.
Are you sure you want to proceed? [y/N] y
client certificate has been removed, please reconnect.

Related articles