Installing an SSL Certificate for VMS

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

VAST Cluster is pre-installed with a self-signed certificate to secure the HTTPS connection between the VAST Web UI and the VAST Cluster management service. When you browse to the VAST Web UI, your browser will warn you that the connection to the site is not secure. If you would like to install an authority-signed SSL certificate, follow this procedure.

Note

  • Only RSA-generated public keys are supported.

  • Password protected private keys are not supported.

Restricting Minimum TLS Version and Ciphers

VAST provides the capability to enforce a limitation on unsafe, deprecated protocol dialects and ciphers. This is done through the default minimum TLS version that is accepted by the cluster's TLS service, through the ability to set the minimum TLS version to a higher version. Additionally, it is possible to further restrict the list of ciphers supported on the cluster side.  

Default Cipher Limits

The following ciphers are enabled by default for VMS HTTPS connections:

  • TLSv1.2 Ciphers:

    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLSV1.3 Ciphers:

    • TLS_AKE_WITH_AES_256_GCM_SHA384

    • TLS_AKE_WITH_AES_128_GCM_SHA256

    • TLS_AKE_WITH_AES_128_CCM_SHA256

Changing the Minimum TLS Version

By default, the minimum TLS version required by the cluster is TLS v1.2. You can optionally set the minimum TLS version to TLS v1.3.

To set the minimum TLS version to TLS v1.3, run the following VAST CLI command:

vcli: admin> vms modify --min-tls-version 1.3

Note

The change takes affect for VMS connections only after the TLS certificate for VMS is subsequently uploaded. If a certificate is already uploaded to the cluster, the upload needs to be done again in order to effect a change in cipher limits.  

Setting Cipher Limits

To restrict ciphers on VMS connections, use the vms set_ssl_ciphers VAST CLI command.

The following example enables only the TLS_AES_256_GCM_SHA384 cipher when the minimum TLS version is 1.3:

vcli: admin> vms set_ssl_ciphers --id 1 --ssl-ciphers AES256
This action will impact your system.
Are you sure you want to change the ssl ciphers? [y/N] y
vcli: admin>

To reset enabled ciphers to their default, use the vms reset_ssl_ciphers command.

Installing a VMS Certificate

  1. Obtain an TLS certificate from a Certificate Authority (CA). The CA will provide you with two files: a certificate file and a key file. Choose an X.509 output file format containing ASCII (Base64) encoded data.

  2. From the left navigation menu, select Settings and then Certificates.

  3. From the Certificate for dropdown, select VMS.

  4. Enter or upload the certificate file contents in the Certificate field and the key file content into the Key field.

    When pasting the certificate file content, include the BEGIN CERTIFICATE and END CERTIFICATE lines, like this:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

    When pasting the private key file content, include the BEGIN PRIVATE KEY and END PRIVATE KEY lines, like this:

    -----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

  5. Click Update.

    Your certificate is installed and you can now browse to the VAST Web UI without your browser warning that the site is not secure.

Related articles