What is the RSA key size supported by NetApp with open SSL FIPS?
Applies to
- ONTAP 9
- NetApp Storage Encryption
Answer
When creating certificates with open SSL FIPS be sure to select a supported size of 2048 or 3072.
Per the man pages for command security certificate create in ONTAP 9.x:
-size <size of requested certificate in bits> - Size of Requested Certificate in Bits
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible
values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true,
the possible values are 2048 and 3072.
ONTAP will warn you if using the 'security certificate create'
command
Cluster::*> security config show
Cluster Cluster Security
Interface FIPS Mode Supported Protocols Supported Ciphers Config Ready
--------- ---------- ------------------- --------------------- ----------------
SSL true TLSv1.2 ALL:!LOW:!aNULL:!EXP: yes
!eNULL:!3DES
Cluster::> security key-manager show -status
Node Port Registered Key Manager Status
---------------------- ------ --------------------------- ---------------
Cluster-node1 5696 10.0.13.91 unknown
Cluster-node1 5696 10.0.13.92 unknown
Cluster-node1 5696 10.4.13.95 unknown
Cluster-node1 5696 10.4.13.96 unknown
Cluster-node2 5696 10.0.13.91 unknown
Cluster-node2 5696 10.0.13.92 unknown
Cluster-node2 5696 10.4.13.95 unknown
Cluster-node2 5696 10.4.13.96 unknown
8 entries were displayed
Additional Information