Skip to main content
NetApp Knowledge Base

What is the Certificate Truststore in ONTAP?

Views:
7,280
Visibility:
Public
Votes:
4
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • AutoSupport

Answer

What is the Certificate Truststore?

Beginning with ONTAP 9.2, a set of trusted root CA certificates were introduced in ONTAP's certificate management so that the admin SVM can allow applications running in ONTAP to seamlessly establish TLS connections to external entities. Each certificate has an expiration date associated with it. 

When are the Truststore Certificates installed?

The Truststore Certificates are installed only on the admin SVM during an ONTAP install of 9.2, or during an upgrade to ONTAP 9.2.  The Truststore Certificates bundle is also updated in newer versions of ONTAP.

How can I view the installed Truststore Certificates?

You can view the Truststore Certificates that are installed on the admin SVM by using the security certificate show command:security certificate show -vserver * -type server-ca

Note: The security certificate show -vserver * -type server-ca will show both user-installed as well as the Truststore Certificates. From ONTAP 9.4 and later, security certificate show-truststore  can be used to view only the default Truststore Certificates.

ONTAP 9 Documentation Center

What happens if a Truststore Certificate expires?

If the Truststore Certificate expires, you can choose to delete it or leave it installed. The Truststore Certificates are automatically updated as needed as part of every ONTAP release.  This is also explained in Bug 1245418.

ONTAP Event Management System (EMS) will report the following:

... starting 30 days prior to expiration:

Example:
Tue Jul 09 00:00:01 CEST [node1: mgwd: mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver ADMIN-SVM will expire in the next 10 day(s).

Currently, there are three known certificates that have expired as of July 2019. These Truststore Certificates have been reviewed by NetApp and can be safely deleted. 

Name of Vserver Netapp1
FQDN or Custom Common Name Class2PrimaryCA
Serial Number of Certificate 85BD4BF3D8DAE369F694D75FC3A54423
Certificate Authority Class 2 Primary CA
Type of Certificate server-ca
Certificate Expiration Date Sat Jul 06 18:59:59 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name DeutscheTelekomRootCA2
Serial Number of Certificate 26
Certificate Authority Deutsche Telekom Root CA 2
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 18:59:00 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name UTN-USERFirst-Hardware
Serial Number of Certificate 44BE0C8B500024B411D3362AFE650AFD
Certificate Authority UTN-USERFirst-Hardware
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 13:19:22 2019
Protocol SSL
Hashing Function SHA1

Per the Bug workaround, delete the certificate using the command security certificate delete
Example:

::> set advanced
::*> security certificate delete -vserver -common-name Class2PrimaryCA -type server-ca -ca "Class 2 Primary CA" -serial 5BD4BF3D8DAE369F694D75FC3A54423

Note: <TAB> will auto-complete the -serial and the -ca  name should be in double-quotes

What happens if I delete a Truststore Certificate?

For the most part, the expired certificate will likely be unused. Deleting the Truststore Certificates might result in some ONTAP applications not functioning as expected (for example: AutoSupport or System Manager).

Can I create the Truststore Certificate with a new expiration date?

No,  the new certificate must be technically re-issued by the Certificate Authority, and then re-installed. But as mentioned above, the Truststore Certificates are automatically updated as needed as part of every ONTAP release.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.