Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

How to explicitly trust a private CA certificate in Altavault

Views:
52
Visibility:
Public
Votes:
0
Category:
altavault
Specialty:
dp
Last Updated:

Applies to

  • NetApp Cloud Backup (AltaVault)
  • SteelStore

Description

  • Private or public CA for cloud provider's SSL certificate must have an existing public certificate trusted on the SteelStore/Altavault.
  • If this is not the case, CA certificate errors will appear in the system log and replication will fail.
  • SteelStore/Altavault's connections to the cloud provider are over SSL and in order to trust the cloud provider's certificate, the signing Certificate Authority (CA) needs to be explicitly trusted.
  • For this purpose,the SteelStore/Altavault like most devices, uses a ca-bundle file, which is a concatenated list of public CA's X.509 certificates.
  • If a customer uses private cloud storage using a certificate signed by a corporate Certificate Authority, the private CA's public certificate needs to be explicitly trusted for the SteelStore to accept it as valid.
  • The way to accomplish this is by appending the certificate to the file to the SteelStore's ca-bundle file.
  • Additionally, a public CA's certificate can expire and be updated, that update may not be reflected in the currently bundled SteelStore/Altavault CA certificate package.
  • If this occurs, then all certificates signed by that CA will fail to validate.

Example errors that may be seen when CA certificate cannot be validated against trusted certificates:

Peer certificate could not be authenticated with known CA certificates. You may proceed by disabling ssl certificate verification if you are sure about the authenticity of the server. Run "no replication ssl verify-certs" from the cli. An error has occurred while replicating data to the cloud. SteelStore (config) # cloudctl exec "-a list" Failed to get bucket list: 60: Peer certificate cannot be authenticated with given CA certificates : Peer certificate cannot be authenticated with known CA certificate