Skip to main content
NetApp Knowledge Base

NSE: How can I renew expired NSE certificates connected to TKLM or SKLM key servers?

Last Updated:


Applies to

  • NetApp Storage Encryption
  • clustered Data ONTAP 8.x
  • ONTAP 9



On NSE systems that are using TKLM or SKLM key servers, expired certificates that require renewal will require the original client_private.key file. TKLM/SKLM defines access by the certificate. If a new client_private.key is created, the original keys stored on the TKLM/SKLM will not be accessible.

To renew the expired NSE client certificates, use the original client_private.key to generate a new client.csr. Sign the client.csr on the CA. Concatenate the client.pem and client_private.key to make the client_private.pem file. Test the updated certificates prior to installing them on the NSE system by running the following command:

openssl s_client -tls1 -connect <IP-Address-of-Key-Server>:5696 -verify 10 -showcerts -cert client.pem -key client_private.pem -CAfile <IP-Address-of-Key-Server>_CA.pem

For Example:

openssl s_client -tls1 -connect -verify 10 -showcerts -cert client.pem -key client_private.pem -CAfile

Data ONTAP 8.3 and lower
  1. In case there is a loss of power during the certificate replacement procedures, manually re-key the drives to default Key ID 0x0 temporarily before replacing the certificates. This is to prevent drive lockout during the certificate renewal process.
    Perform the following steps:
    1. Run: key_manager restore -all (load all Key IDs from attached key servers)
    2. Run: disk encrypt show (make a note of the encryption Key ID, as it will be used after certificate renewal)
    3. Run: disk encrypt rekey 0x0 * (re-keys drive to defaults and allows full drive access temporarily while certificates are replaced)
    4. Run: disk encrypt show (verify that all disks are re-keyed to 0x0)
  2. Display certificates
    1.  Run:  keymgr list cert
  3. Back up all the original certificates before replacing them on the NSE system.
  4. Remove certificates from the NSE system
    1.  Run: key_manager show  (get a list of current configured key servers)
    2.  Run: key_manager remove -key_server <IP-Address-of-Key-Server>
    Note: Repeat the procedure for all configured key servers.
    Run: keymgr delete cert client_private.pem.
    Run: keymgr delete cert client.pem.
    Run: keymgr delete cert <IP-Address-of-Key-Server>_CA.pem.
  5. Place newly generated certificates on the storage storage.  For this example,
  6. After installing the renewed certificates onto the NSE system, all the key servers must be removed and re-added. This step is required to copy the new certificates onto the CF card.
    To do this, perform the following steps:
    1. Run: key_manager show  (get a list of current configured key servers)
    2. Run: key_manager remove -key_server <IP_CA.pem>
      Note: Repeat the procedure for all configured key servers.
    3. Run: key_manager add –key_server <IP_CA.pem>
      Note: Repeat the procedure for all previously configured key servers.
    4. Run: key_manager query  (verify that the Key IDs are listed properly, the original Key IDs should be listed)
    5. Run: disk encrypt rekey <Key-ID> * (This is the Key ID from Step 1b above, the Key ID should also be on the key_manager query output)
    6. Run: disk encrypt show (Verify that all disks are re-keyed to the new Key ID and none of the drives have Key ID 0x0)
    7. Repeat the above procedures on the HA controller.
Data ONTAP 8.3.1 and higher

::> storage encryption disk modify -disk * -data-key-id 0x0
::> security key-manager remove -address key_management_server_ipaddress
::> security certificate delete -vserver admin_svm_name -type client -subtype kmip-cert  
::> security certificate install -vserver admin_svm_name -type client -subtype kmip-cert  

<-- this will prompt the following items in . pem which will have to be pasted in.

Cut & paste the public cert when prompted

Cut & paste the private key when prompted

::> security key-manager setup -node <name>

Repeat this for each node in the cluster.

::> security key-manager add  -address <key_management_server_ipaddress>

    Continue with creating the key ONLY if able to add and query the key-manager.

Verify if the key management servers are configured and available on all nodes in the cluster:
::> security key-manager show -status
::> security key-manager query

::> security key-manager create-key -prompt-for-key true

When prompted, enter the secret pass-phrase. It must be 20 to 32 characters long.

You can either use the ' -prompt-for-key true' setting, which will require you to paste the secret pass-phrase or ignore it, and Data ONTAP will randomly generate a pass-phrase. It has always been a best practice to provide a customer-specified pass-phrase for recovery purposes.

This will return a 40-60 character key ID, which is used in the next step.
Record the authentication key, as this is critical information

::> storage encryption disk modify -disk disk_id -data-key-id authentication_key_id * (same keyid displayed in output from previous command)
::> storage encryption disk show

Data ONTAP 9.0, Data ONTAP 9.1, and Data ONTAP 9.2

::> security certificate install -type client -subtype kmip-cert 

Please enter Certificate: Press <Enter> when done
<Paste the NSE Public Certificate named client.pem including the BEGIN and END statement>

Please enter Private Key: Press <Enter> when done
<Paste the NSE Private certificate named client_private.pem  including the BEGIN and END statement>                                                                                                                                                              

example of what to cut & paste:

When this is complete, run the following to update certificates on the local node:

::> security key-manager certificate update -type client
Rekeying the drives to default KeyID 0x0 will allow full access to the data on the encryption drives without the requirement for key server authentication. This leaves the drives unprotected against physical theft. It is important that the certificate renewal process are completed promptly and then rekey all the drives out of KeyID 0x0 after certificate renewal. Double check that none of the drives have a KeyID of 0x0.

Additional Information

Add your text here.


NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.