Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

How to renew an SSL certificate in ONTAP 9

Views:
18,477
Visibility:
Public
Votes:
4
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

  • ONTAP 9
  • Admin certificates
  • SVM/Vserver certificates

Description

This article describes the procedure to renew an SSL certificate in ONTAP 9 storage systems. The default certificate expires after 365 days.The procedure is the same for other SSL certificates used by any SVM/Vserver.

Procedure

Disable SSL before deleting the expired certificate (if not, the system will create two new certificates).
These steps are for ONTAP 9+
  1. Check the current certificate status. Enter the privilege mode:

ClusterA-01::> set -privilege advanced

  1. Review the Certificates that are currently configured

ClusterA-01::*> security certificate show


Vserver    Common Name                      Authority        Protocol Service
---------- -------------------------------- ---------------- -------- -------
cifs       cifs.cert                        Self-Signed      SSL      server
           Expiration Date: Sat Aug 23 07:18:31 2013
cifs_vs    13.cert.1377240681               Self-Signed      SSL      server
           Expiration Date: Sat Aug 23 06:51:21 2013
ClusterA-01 Common_name.cert                  Self-Signed      SSL      server
           Expiration Date: Wed Aug 27 08:37:29 2013
cm2244n1-cn
           ClusterA-01-01.cert               Self-Signed      SSL      server
           Expiration Date: Fri Jan 10 01:45:31 2013
cm2244n2-cn
           cm2244n2-cn.cert                 Self-Signed      SSL      server
           Expiration Date: Thu Feb 27 14:16:49 2013

  1. Check which certificate is currently being used by SSL

ClusterA-01::> security ssl show
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs              true    cifs.cert
cifs_vs        true    13.cert.1377240681
ClusterA-01     true    Common_name.cert
cm2244n1-cn    true    ClusterA-01-01.cert
cm2244n2-cn    true    cm2244n2-cn.cert
ictest         true    ictest.cert
tcs            true    tcs.cert
vsSAN          true    vsSAN.cert
vs_cifs        true    vs2.cert
vs_iscsi       true    10.cert.1372948150
vs_nfs         true    8.cert.1367222483

 

  1. To renew the certificate, delete the existing one and create a new certificate with a longer expiration date. Before deleting the certificate, check the details of the existing certificate, which will help to enter the necessary parameters while creating the new certificate.
  2. Suppose you want to renew the certificate Common_name.cert, which is used by the cluster, run:
    ClusterA-01::*> security certificate show -instance -vserver ClusterA-01 -common-name Common_name.cert
                                 Vserver: ClusterA-01
              FQDN or Custom Common Name: Common_name.cert
     Size of Requested Certificate(bits): 2048

                  Certificate Start Date: Tue Aug 27 08:37:29 2012
             Certificate Expiration Date: Wed Aug 27 08:37:29 2013
                  Public Key Certificate: -----BEGIN CERTIFICATE-----
                                          MIIDcjCCAlqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy
                                          NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ
                                          MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA4Mjcw
                                          ODM3MjlaFw0xNDA4MjcwODM3MjlaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy
                                          dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx
                                          CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC
                                          AQ8AMIIBCgKCAQEA3PEMyBt4AwKPekmsCmkhGJ9Z53BEZHlwK4ZmLrh2HFVAQIge

                                          I3dpBgMKKJFHuT3xihDzK3SOBDe6ntNUu4AKyaElIR7oluFIPjL5x6Dv0u6DIJZB
                                          FCjOT8BaSXoyfiDbhkYWtpaTD7WNLXCri/FOCZlCqM/IDUC26I5zyXGsS/tlR7cD
                                          xehm1dgyhO+W4RBT9pe0PiK6tOAWHBgtUlmsT8Lw6snmc04XkDG9t4ngaPTjh8CI
                                          m59DzRDeiavCDIzpph66PxvJMW4AQ8DbX+MitIotnXCS/N9cDMZBESw0okvsKtaD
                                          6QHa6e9hzY2iF8u0D6Sz9aeFPaeB6UWSXMPEFwIDAQABoy8wLTAMBgNVHRMBAf8E
                                          AjAAMB0GA1UdDgQWBBQLzWaEqrJPDdABSfUpqYXr/RG3MTANBgkqhkiG9w0BAQsF
                                          AAOCAQEABsbfubJz9rmvJ6CFk5oxx+xNuM03yWu2MOlBe7rJJZh5K9SsXFChrRsD
                                          cKriJxXbWZ7VrImwqsvvBb/7f/zD7VW13/ZHVdIevoPsWwdx9oFQbiUQ2JlvNkoq
                                          j+o/cff7G142GqlP9DNxACUtLKB5+t+LCRGSqHGaQusAMsYQTMri3ktricxnaNKC
                                          xIdnFoGb1HgvqpVPkBabQst8HDv0lJ3DIDUwMIjOFDhpO47nyUaGbO+COgXT4f1g
                                          eeM4HbkoMPSK88uK0mvQcJ83R1953tkiFvpqnwbbmIfpWJ3YQ9ENAin4BnJk2Sum
                                          hiUKSYG+1E2p1gLF3yblxUf3/zKRaw==
                                         
    -----END CERTIFICATE-----
            Country Name (2 letter code): US

      State or Province Name (full name):
               Locality Name (e.g. city):
        Organization Name (e.g. company):
        Organization Unit (e.g. section):
            Email Address (Contact Name):
                   Certificate Authority: Self-Signed
                                Protocol: SSL
                         Type of Service: server
                        Hashing Function: SHA256
  3. Delete the expired certificate.

ClusterA-01::> security certificate delete -common-name Common_name.cert -ca Common_name.cert -type server -vserver ClusterA-01 -serial 5514941E

Warning: Deleting a server certificate will also delete the corresponding
server-chain certificate, if one exists.
Do you want to continue? {y|n}:

Important: As soon you delete the certificate, the SSL service will be disabled.

ClusterA-01::*> ssl show

(security ssl show)
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs           true    cifs.cert
cifs_vs        true    13.cert.1377240681

ClusterA-01     false   -
svm01          true    svm1.cert
svm2           true    svm2.cert
 

  1. Create a new certificate with a longer expiration period

ClusterA-01::> security certificate create -vserver ClusterA-01 -common-name Common_name.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

  1. Check the newly created certificate
    ClusterA-01::*> security certificate show -instance -vserver ClusterA-01 -common-name Common_name.cert                                                                                                                                         Vserver: ClusterA-01

          FQDN or Custom Common Name: Common_name.cert
 Size of Requested Certificate(bits): 2048
              Certificate Start Date: Mon Sep 02 21:10:05 2013
         Certificate Expiration Date: Thu Aug 31 21:10:05 2023
              Public Key Certificate: -----BEGIN CERTIFICATE-----
                                      MIIDcjCCAlqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy
                                      NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ
                                      MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA5MDIy
                                      MTEwMDVaFw0yMzA4MzEyMTEwMDVaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy
                                      dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx
                                      CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC
                                      AQ8AMIIBCgKCAQEAsOYe1W/1nE/H1q7QeZWrqlghBLrUy49i0eYVu7h/5RspH3iZ
                                      nxEOG7aKu0B1RYjc8VlFcDa9OhlzBD7cePjsAyrGUZPyJNsRXJkigBTcGsWNdetw
                                      UeU3ZHKQJ7Gl/n02ku/tjT+GW7hXs0McsvQ3snWfVnDS6XvCJtE5IWkY3Vm2vYia
                                      l0YSYNGQ3UDlUV1zor9bUK5ZLpitHdP26nZWmGiI7nK/vN3SkH+D69i+LeBGGyK/
                                      XmfA2/c2IKVUpaqDlhtOUrZmravr4/M8vy+Ah5pHD0qcdVq4FBJ5GsdIPWU8QalA
                                      JZT1MFWUklqLlpXM0yeLI2DR+8FtEC9hkeiURQIDAQABoy8wLTAMBgNVHRMBAf8E
                                      AjAAMB0GA1UdDgQWBBRELU34ycRP2gtYLTnISM+QOjILUzANBgkqhkiG9w0BAQsF
                                      AAOCAQEAVqDFm7Nje2YbSiq+x26/aj9qPnGrByF+yLdn0SF1VevJvahEM46yCFsF
                                      Wk62KxGCWEoRBwsAxZMlp7SnEiU8o+nhhB9nLBhQgE0cHavCezy2t/rugqjWC/b5
                                      eBKFjbH6pXP+Sjo3jEQktgRWd9fBVH/d+YsapU73K/IypgZuKrnSqobSk/SM7dPc
                                      J/qEDYI3GgUDfcML4arGYnRoDl87mD6UpEm9CR/ldOe/Qie1yLtKkHJIR9oc0+XD
                                      zrU7eM9riy44FsQM9oXcHgZ08G2E83r/6DyNyqGa5uSWzbCnKfxyHVrN3iVhLw7n
                                      CWPAB8Q25182e4eMLg8CrntOjyS0sQ==
                                      -----END CERTIFICATE-----
        Country Name (2 letter code): US
 State or Province Name (full name):
           Locality Name (e.g. city):
    Organization Name (e.g. company):
    Organization Unit (e.g. section):
        Email Address (Contact Name):
               Certificate Authority: Self-Signed
                            Protocol: SSL
                     Type of Service: server
                    Hashing Function: SHA256
  1. Even after creating the certificate, SSL services will be disabled and you will not able to access any services using HTTPs.
ClusterA-01::> ssl show
(security ssl show)
                    Serial                              Server       Client
Vserver             Number     Common Name              Enabled      Enabled
---------           -------    -------------           ----------   ---------
SCVserver           5527B24F   SCVserver.cert           false        false
Certificate Authority: SCVserver.cert

SRA                 552BA58D   SRA.cert                 true         false
Certificate Authority: SRA.cert

ClusterA-01       55348AB0   ClusterA-01            true         false
Certificate Authority: ClusterA-01

ClusterA-01     54F7D5D8   ClusterA-01.cert     true         false
Certificate Authority: cm6240c-rtp2-cluster.cert

ClusterA-01-01  54F7D5D7   ClusterA-01-01.cert  true         false
Certificate Authority: cm6240c-rtp2-cluster-01.cert

ClusterA-01-02  54F7D870   ClusterA-01-02.cert  true         false
Certificate Authority: cm6240c-rtp2-cluster-02.cert

  1. Enable SSL after creating the new certificate

    ClusterA-01::> ssl modify -vserver ClusterA-01 -server-enabled true
    (security ssl modify)

    Note: If you are enabling SSL on a manually created certificate that is having a name different from the vserver name, the command has to be specific to the certificate.

    security ssl modify -vserver <vserver_name> -server-enabled true -ca <certificate_authority> -client-enabled false -serial <serial_number> -common-name <common_name>

    For example:
    ClusterA-01::*> security ssl modify -vserver test_cert -server-enabled true -ca test_cert -client-enabled false -serial 535371EBE64C3 -common-name test_cert

    Warning: The certificate Common_name.cert is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
    Do you want to continue? {y|n}: y
  1. Verify the SSL service is enabled
ClusterA-01::> ssl show
(security ssl show)
                         Serial                                   Server     Client
Vserver                  Number     Common Name                   Enabled    Enabled
---------                ------     ---------------               --------   ---------
SCVserver                5527B24F   SCVserver.cert                true       false
Certificate Authority: SCVserver.cert

SRA                      552BA58D   SRA.cert                      true       false
Certificate Authority: SRA.cert

ClusterA-01            55348AB0   ClusterA-01                 true       false
Certificate Authority: ClusterA-01

ClusterA-01          54F7D5D8   ClusterA-01.cert          true       false
Certificate Authority: cm6240c-rtp2-cluster.cert

ClusterA-01-01       54F7D5D7   ClusterA-01-01.cert       true       false
Certificate Authority: cm6240c-rtp2-cluster-01.cert

ClusterA-01-02       54F7D870   ClusterA-01-02.cert       true       false
Certificate Authority: cm6240c-rtp2-cluster-02.cert