How to renew an ONTAP self-signed SSL certificate via command line
Applies to
- ONTAP 9
- Self-signed certificates
Description
- This article describes the procedure to renew an SSL self-signed certificate on the command line in ONTAP 9 storage systems.
- FPolicy, Anti-Virus, System Manager, or other connections to port 443 (HTTPS) may fail if required certificate expires.
In ONTAP 9.10.1 and later, System Manager can also be used to renew expiring certificates. See How to renew an ONTAP self-signed certificate in System Manager user interface.
WARNING If using SAML, then disable SAML before renewing the cluster certificate. After the certificate is renewed, SAML will need to be re-configured again. |
Procedure
Note: If there are any concerns about disruption of HTTPS services, perform this task during a maintenance window.
- Identify expired or expiring server certificates:
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
- Example
-
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1 affc190 16E3A53D8D90E881 affc190 server - affc190 Fri Apr 07 10:59:32 2023
svm1 svm1_A 16FD6CBB01F4F813 svm1_A server - svm1_A Fri Jun 30 14:35:51 2022
2 entries were displayed.
- Create new self-signed certificate:
::> security certificate create -common-name <name> -type server -size 2048 -email-addr <email> -expire-days 365 -protocol SSL -hash-function SHA256 -vserver <svm name>
- Example
-
::> security certificate create -common-name svm1_B -type server -size 2048 -email-addr "admin@nowhere.com"
-expire-days 365 -protocol SSL -hash-function SHA256 -vserver svm1
The certificate's generated name for reference: svm1_B
- Identify newly created certificate:
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
- Example
-
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1 affc190 16E3A53D8D90E881 affc190 server - affc190 Fri Apr 07 10:59:32 2023
svm1 svm1_A 16FD6CBB01F4F813 svm1_A server - svm1_A Fri Jun 30 14:35:51 2022
svm1 svm1_A 16FD31BFCD1F353C svm1_A server - svm1_A Fri Dec 16 14:35:51 2024
3 entries were displayed.
- Enable new certificate for SSL use:
::> security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>
Note: Only one server certificate can be enabled for a SVM. Existing certificate is marked false as part of this this command.
- Example
-
::> security ssl modify -server-enabled true -vserver svm1 -ca svm1_B -serial 16FD31BFCD1F353C
Warning: The certificate svm1_B is a self-signed certificate, which offers no verification of identity
by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
Do you want to continue? {y|n}: y
- Verify the certificate is enabled for SSL:
::> security ssl show -common-name <common name>
- Example
-
::> security ssl show -common-name svm1_B
Serial Server Client
Vserver Number Common Name Enabled Enabled
--------- ---------------- ----------- ------- -------
svm1 16FD31BFCD1F353C svm1_B true false
Certificate Authority: svm1_B
- Delete expired certificate:
::> security certificate delete -type server -vserver <svm name> -common-name <common name> -ca <auth> -serial <serial>
- Example
-
::> security certificate delete -type server -vserver svm1 -common-name svm1_A -ca svm1_A -serial 16FD6CBB01F4F813
Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
Do you want to continue? {y|n}: y
Additional Information
For other certificate renewal methods, see:
Related links: