Unable to restore encryption keys from external KMIP after client certificate renewal

• ONTAP 9
• NetApp Volume Encryption (NVE)
• NetApp Aggregate Encryption (NAE)
• Self Encrypting Drives (SED)
• NetApp Storage Encryption NSE
• External KMIP server / External Key Manager

• After renewal of the ONTAP-side KMIP client-certificate that is used for authentication with an external KMIP server, ONTAP cannot retrieve existing keys anymore.
• After both ONTAP nodes were rebooted, volumes remain offline and are unable to restore their key from external KMIP.
• Creating new volumes with new keys works fine, but on external Key Manager server GUI or CLI these new keys are associated with different owner than the ones created before the certificate renewalNet.
• KMIP client log in ONTAP shows:

Warning: Unable to list entries on node node-01. KMIP "Get" command failed on external key server "10.0.0.1:5696". Cryptsoft error: "Response
status: OPERATION_FAILED. Reason: GENERAL_FAILURE. Message: Unknown key name or insufficient permissions".

• KMIP server shows an error similar to:

Crypto Server Generic Security Warning Alert 4 sent, Unauthorized key usage. Unauthorized access to key <key-id> by user <common_name_different_from_key_owner>.