Skip to main content
NetApp Knowledge Base

How to renew an SSL certificate in Data ONTAP 7-Mode

Views:
2,584
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
core
Last Updated:

Applies to

Data ONTAP 7-Mode

Description

This article describes the procedure to be followed to renew an SSL certificate on Data ONTAP 7-Mode storage systems.

Procedure

To create a Self-Signed Certificate within 7-mode Data Ontap, with a length of 1024 or 2048

Run:> secureadmin setup ssl 

Note: Each question within the resulting SSL Certificate wizard will need to be populated.

There are 3 basic Algorithm Keylengths that are available when configuring an SSL Certificate:

  • 512
  • 1024
  • 2048

Since 2015, a lot of SSL related Security Vulnerabilities have been identified, which has slowly rendered the 512 keylength as no longer sufficient within environments that have Automatic updates enabled.

This is because applications like Windows and Java are regularly updating code to patch Security Vulnerabilities like the those within SSL.  Over time this has made the 512 Keylength no longer valid, which means that any SSL Certificate running 512 needs to be recreated with a length of 1024 or 2048.

You can confirm the current SSL Certificate keylength by running the following Syntax from the Ontap

CLI:> keymgr list key
Existing key file(s):Name                 Type Bits Size  Last Modifiedsecureadmin.pem      RSA  512  561   Dec 17 08:17:32 EST 2016DOT7m>
 

In the example above, I highlighted 512, as 512 the Algorithm Keylength that is configured for this Example SSL Certificate.  

To import a new certificate in Data ONTAP 7-Mode systems,perform the following steps:

Note: you need to provide a new root certificate in .pem format

  1. Check the existing certificate on the system:

7Dot> keymgr list root
Existing certificate file(s):
Name                 Common Name                Size  Expiration Date
cacert.pem                             228147 Jan  7 23:59:59 2010 GMT

  1. Write on the /etc of the storage system the new certificate (if you are using a vFiler, refer to the /etc of the vFiler)

$ cat 2018.pem | ssh 7modefiler wrfile /vol/vol0/etc/2018.pem (or copy it on etc$ share)

At this moment, the certificate is not yet used by the storage system

7Dot> keymgr list root
Existing certificate file(s):
Name                 Common Name                Size  Expiration Date
cacert.pem                             228147 Jan  7 23:59:59 2010 GMT

  1. Install the new certificate copied on the storage system:

7Dot> keymgr install root /vol/vol0/etc/2018.pem
7Dot> keymgr list root
Existing certificate file(s):
Name                 Common Name                Size  Expiration Date
cacert.pem                             228147 Jan  7 23:59:59 2010 GMT
2018.pem             7Dot.corp.netapp.com  1367  Apr  4 14:43:10 2019 GMT

  1. Remove the old expired certificate (if it is still used, it is not necessary to do this step):

7Dot> keymgr delete root cacert.pem
Wed Apr  4 16:56:56 CEST [7Dot:telnet_0:info]: File cacert.pem deleted (null).

  1. Restart services using SSL connections to use the new certificate (in this example, ldap):

7Dot> options ldap.ssl.enable off
7Dot> options ldap.ssl.enable on

Additional Information

additionalInformation_text

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device