Skip to main content
NetApp Knowledge Base

How to renew an ONTAP self-signed SSL certificate via command line

Last Updated:

Applies to

  • ONTAP 9
  • Self-signed certificates


  • This article describes the procedure to renew an SSL self-signed certificate on the command line in ONTAP 9 storage systems.
  • FPolicy, Anti-Virus, System Manager, or other connections to port 443 (HTTPS) may fail if required certificate expires.

In ONTAP 9.10.1 and later, System Manager can also be used to renew expiring certificates.  See How to renew an ONTAP self-signed certificate in System Manager user interface.


Note: If there are any concerns about disruption of HTTPS services, perform this task during a maintenance window.

  1. Identify expired or expiring server certificates: 

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server


::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server 
vserver common-name serial           ca       type   subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1   affc190     16E3A53D8D90E881 affc190  server -       affc190   Fri Apr 07 10:59:32 2023
svm1    svm1_A      16FD6CBB01F4F813 svm1_A   server -       svm1_A    Fri Jun 30 14:35:51 2022
2 entries were displayed.

  1. Create new self-signed certificate:

::> security certificate create -common-name <name> -type server -size 2048 -email-addr <email> -expire-days 365 -protocol SSL -hash-function SHA256 -vserver <svm name>


::> security certificate create -common-name svm1_B -type server -size 2048 -email-addr ""  
-expire-days 365 -protocol SSL -hash-function SHA256 -vserver svm1
The certificate's generated name for reference: svm1_B

  1. Enable new certificate for SSL use:

::> security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>

Note: Only one server certificate can be enabled for a SVM.  Existing certificate is marked false as part of this this command.


::> security ssl modify -server-enabled true -vserver svm1 -ca svm1_B -serial 16FD31BFCD1F353C
Warning: The certificate svm1_B is a self-signed certificate, which offers no verification of identity       
by client machines.  This presents the risk of man-in-the-middle attacks by malicious third-parties.
Do you want to continue? {y|n}: y

  1. Verify the certificate is enabled for SSL:

::> security ssl show -common-name <common name>


::> security ssl show -common-name svm1_B
          Serial                        Server  Client
Vserver   Number            Common Name Enabled Enabled      
--------- ----------------  ----------- ------- -------
svm1      16FD31BFCD1F353C  svm1_B      true    false
 Certificate Authority: svm1_B

  1. Delete expired certificate:

::> security certificate delete -type server -vserver <svm name> -common-name <common name> -ca <auth> -serial <serial>


::> security certificate delete -type server -vserver svm1 -common-name svm1_A -ca svm1_A -serial 16FD6CBB01F4F813  
Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
Do you want to continue? {y|n}: y


NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.