NSE: How can I renew expired NSE certificates connected to TKLM or SKLM key servers?
Applies to
- NetApp Storage Encryption
- clustered Data ONTAP 8.x
- ONTAP 9
Answer
On NSE systems that are using TKLM or SKLM key servers, expired certificates that require renewal will require the original client_private.key
file. TKLM/SKLM defines access by the certificate. If a new client_private.key
is created, the original keys stored on the TKLM/SKLM will not be accessible.
To renew the expired NSE client certificates, use the original client_private.key
to generate a new client.csr
. Sign the client.csr
on the CA. Concatenate the client.pem
and client_private.key
to make the client_private.pem
file. Test the updated certificates prior to installing them on the NSE system by running the following command:
openssl s_client -tls1 -connect <IP-Address-of-Key-Server>:5696 -verify 10 -showcerts -cert client.pem -key client_private.pem -CAfile <IP-Address-of-Key-Server>_CA.pem
For Example:
openssl s_client -tls1 -connect 192.168.1.73:5696 -verify 10 -showcerts -cert client.pem -key client_private.pem -CAfile 192.168.1.73_CA.pem
Data ONTAP 8.3 and lower
- In case there is a loss of power during the certificate replacement procedures, manually re-key the drives to default Key ID 0x0 temporarily before replacing the certificates. This is to prevent drive lockout during the certificate renewal process.
Perform the following steps:- Run:
key_manager restore -all
(load all Key IDs from attached key servers) - Run:
disk encrypt show
- Run:
disk encrypt rekey 0x0 *
(re-keys drive to defaults and allows full drive access temporarily while certificates are replaced) - Run:
disk encrypt show
(verify that all disks are re-keyed to 0x0)
- Run:
- Display certificates
1. Run:keymgr list cert
- Back up all the original certificates before replacing them on the NSE system.
- Remove certificates from the NSE system
1. Run:key_manager show
(get a list of current configured key servers)
2. Run:key_manager remove -key_server <IP-Address-of-Key-Server>
Note: Repeat the procedure for all configured key servers.
Run:keymgr delete cert client_private.pem.
Run:keymgr delete cert client.pem.
Run:keymgr delete cert <IP-Address-of-Key-Server>_CA.pem.
- Place newly generated certificates on the storage storage. For this example,
- After installing the renewed certificates onto the NSE system, all the key servers must be removed and re-added. This step is required to copy the new certificates onto the CF card.
To do this, perform the following steps:- Run:
key_manager show
(get a list of current configured key servers) - Run:
key_manager remove -key_server <IP_CA.pem>
Note: Repeat the procedure for all configured key servers. - Run:
key_manager add –key_server <IP_CA.pem>
Note: Repeat the procedure for all previously configured key servers. - Run:
key_manager query
(verify that the Key IDs are listed properly, the original Key IDs should be listed) - Run:
disk encrypt rekey <Key-ID> *
(This is the Key ID from Step 1b above, the Key ID should also be on thekey_manager query
output) - Run:
disk encrypt show
(Verify that all disks are re-keyed to the new Key ID and none of the drives have Key ID 0x0) - Repeat the above procedures on the HA controller.
- Run:
Data ONTAP 8.3.1 and higher
::> storage encryption disk modify -disk * -data-key-id 0x0
::> security key-manager remove -address key_management_server_ipaddress
::> security certificate delete -vserver admin_svm_name -type client -subtype kmip-cert
::> security certificate install -vserver admin_svm_name -type client -subtype kmip-cert
<-- this will prompt the following items in . pem which will have to be pasted in.
Cut & paste the public cert when prompted
Cut & paste the private key when prompted
::> security key-manager setup -node <name>
Repeat this for each node in the cluster.
::> security key-manager add -address <key_management_server_ipaddress>
Continue with creating the key ONLY if able to add and query the key-manager.
Verify if the key management servers are configured and available on all nodes in the cluster:
::> security key-manager show -status
::> security key-manager query
::> security key-manager create-key -prompt-for-key true
When prompted, enter the secret pass-phrase. It must be 20 to 32 characters long.
You can either use the ' -prompt-for-key true' setting, which will require you to paste the secret pass-phrase or ignore it, and Data ONTAP will randomly generate a pass-phrase. It has always been a best practice to provide a customer-specified pass-phrase for recovery purposes.
This will return a 40-60 character key ID, which is used in the next step.
Record the authentication key, as this is critical information
::> storage encryption disk modify -disk disk_id -data-key-id authentication_key_id * (same keyid displayed in output from previous command)
::> storage encryption disk show
Data ONTAP 9.0, Data ONTAP 9.1, and Data ONTAP 9.2
::> security certificate install -type client -subtype kmip-cert
Please enter Certificate: Press <Enter> when done
<Paste the NSE Public Certificate named client.pem including the BEGIN and END statement>
Please enter Private Key: Press <Enter> when done
<Paste the NSE Private certificate named client_private.pem including the BEGIN and END statement>
MIIB8TCCAZugAwIBAwIBADANBgkqhkiG9w0BAQQFADBfMRMwEQYDVQQDEwpuZXRh cHAuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNV BAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcNMTAwNDI2MTk0OTI4 ...
-----END CERTIFICATE-----
When this is complete, run the following to update certificates on the local node:
::> security key-manager certificate update -type client
Rekeying the drives to default KeyID 0x0 will allow full access to the data on the encryption drives without the requirement for key server authentication. This leaves the drives unprotected against physical theft. It is important that the certificate renewal process are completed promptly and then rekey all the drives out of KeyID 0x0 after certificate renewal. Double check that none of the drives have a KeyID of 0x0. |
Additional Information
Add your text here.