Skip to main content
NetApp Knowledge Base

What is the Certificate Truststore in ONTAP?

Views:
2,723
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • AutoSupport

Answer

What is the Certificate Truststore?

Beginning with  ONTAP 9.2, a set of trusted root CA certificates were introduced in ONTAP's certificate management so that the admin SVM can allow applications running in ONTAP to seamlessly establish TLS connections to external entities. Each certificate has an expiration date associated with it. 

When are the Truststore Certificates installed?

The Truststore Certificates are installed only on the admin SVM during an ONTAP install of 9.2, or during an upgrade to ONTAP 9.2.

How can I view the installed Truststore Certificates?

You can view the Truststore Certificates that are installed on the admin SVM by using the security certificate show command:security certificate show -vserver * -type server-ca

Note: The security certificate show -vserver * -type server-ca will show both user-installed as well as the Truststore Certificates. From ONTAP 9.4 and later, security certificate show-truststore can be used to view only the default Truststore Certificates.

ONTAP 9 Documentation Center

What happens if a Truststore Certificate expires?

If the Truststore Certificate expires, you may decide to delete it or leave it alone. The Truststore Certificates are automatically updated as needed as part of every ONTAP release.
This is also explained in Bug 1245418.

EMS will report the following

starting 30 days prior to expiring:

Example:
Tue Jul 09 00:00:01 CEST [node-name: mgwd: mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver ADMIN-SVM will expire in the next 0 day(s).

Currently, there are three Certificates known, which have expired as of July 2019. These Truststore Certificates have been reviewed by NetApp and can be safely deleted. 

Name of Vserver Netapp1
FQDN or Custom Common Name Class2PrimaryCA
Serial Number of Certificate 85BD4BF3D8DAE369F694D75FC3A54423
Certificate Authority Class 2 Primary CA
Type of Certificate server-ca
Certificate Expiration Date Sat Jul 06 18:59:59 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name DeutscheTelekomRootCA2
Serial Number of Certificate 26
Certificate Authority Deutsche Telekom Root CA 2
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 18:59:00 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name UTN-USERFirst-Hardware
Serial Number of Certificate 44BE0C8B500024B411D3362AFE650AFD
Certificate Authority UTN-USERFirst-Hardware
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 13:19:22 2019
Protocol SSL
Hashing Function SHA1

Per the Bug workaround, delete the certificate using command 'security certificate delete'
Example:
::>security certificate delete -vserver -common-name Class2PrimaryCA -type server-ca -ca "Class 2 Primary CA" -serial will complete the serial number
 ::>security certificate delete -vserver -common-name Class2PrimaryCA -type server-ca -ca "Class 2 Primary CA" -serial 5BD4BF3D8DAE369F694D75FC3A54423

What happens if I delete a Truststore Certificate?

For the most part, the expired certificate may be unused. Deleting the Truststore Certificates may result in some ONTAP applications not to function as expected (for example: AutoSupport).

Can we create the Truststore Certificate with a new expiration date?

No,  the new certificate must be technically re-issued by the Certificate Authority, and then re-installed. But as mentioned above, the Truststore Certificates are automatically updated as needed as part of every ONTAP release.

 

 

******************************************************* *******************************************************