Skip to main content
NetApp Knowledgebase

What is the RSA key size supported by NetApp with open SSL FIPS?

Views:
189
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

  • ONTAP 9
  • NetApp Storage Encryption

Answer

When creating certificates with open SSL FIPS be sure to select a supported size of 2048 or 3072.

Per the man pages for command security certificate create in  ONTAP 9.x:

-size <size of requested certificate in bits> - Size of Requested Certificate in Bits
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible
values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true,
the possible values are 2048 and 3072.

ONTAP will warn you if using the 'security certificate create' command

Example:
Cluster::*> security config show
          Cluster                                              Cluster Security
Interface FIPS Mode  Supported Protocols Supported Ciphers     Config Ready
--------- ---------- ------------------- --------------------- ----------------
SSL       true       TLSv1.2             ALL:!LOW:!aNULL:!EXP: yes
                                         !eNULL:!3DES
Cluster::*> security certificate create -common-name test -size 4096 Error: "4096" is an invalid
value for field "-size "  Valid choices in this command's context: 2048,3072
 
 
Example: If the certificate was created on the KMIP server with a key size of 4096  and then Installed in ONTAP, the following will be
seen when trying to communicate with the KMIP server:

Cluster::> security key-manager show -status
Node                    Port    Registered Key Manager       Status
----------------------  ------  ---------------------------  ---------------
Cluster-node1             5696    10.0.13.91                   unknown
Cluster-node1             5696    10.0.13.92                   unknown
Cluster-node1             5696    10.4.13.95                   unknown
Cluster-node1             5696    10.4.13.96                   unknown
Cluster-node2             5696    10.0.13.91                   unknown
Cluster-node2             5696    10.0.13.92                   unknown
Cluster-node2             5696    10.4.13.95                   unknown
Cluster-node2             5696    10.4.13.96                   unknown
8 entries were displayed
 
Solution: remove the certificate and install a new certificate using a supported RSA key size

Additional Information