Skip to main content
NetApp Knowledge Base

What is the Certificate Truststore in ONTAP?

  1. Last updated
  2. Save as PDF
Views:
7,645
Visibility:
Public
Votes:
4
Category:
ontap-9
Specialty:
CORE
Last Updated:

Applies to

  • ONTAP 9
  • AutoSupport

Answer

What is the Certificate Truststore?
  • Beginning with ONTAP 9.2, a set of trusted root CA certificates was introduced in ONTAP's certificate management.
  • The admin SVM can allow applications running in ONTAP to establish TLS connections to external entities seamlessly.
  • Each certificate has an expiration date associated with it. 
When are the Truststore Certificates installed?
  • The Truststore Certificates are installed only on the admin SVM during an ONTAP installation of version 9.2 or later, or during an upgrade to ONTAP 9.2 or later.
  • The Truststore Certificates bundle is also updated in newer versions of ONTAP.
How can I view the installed Truststore Certificates?
  • You can view the Truststore Certificates that are installed on the admin SVM by using the security certificate show -type server-ca command.
  •  The security certificate show -vserver * -type server-ca will display both user-installed certificates and Truststore Certificates.
  • Starting with ONTAP 9.4 and later, security certificate show-truststore  can be used to view only the default Truststore Certificates:
What happens if a Truststore Certificate expires?
  • If a Truststore Certificate expires, you can either delete it or leave it installed.
  • Truststore Certificates are automatically updated as needed with each ONTAP release.
  • This is also explained in Bug 1245418.
ONTAP Event Management System (EMS) will report the following:
  • Beginning 30 days before expiration:

Tue Jul 09 00:00:01 CEST [node1: mgwd: mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver ADMIN-SVM will expire in the next 10 day(s).

  • As of July 2019, there are three known certificates that have expired.
  • These Truststore Certificates have been reviewed by NetApp and can be safely deleted.

Name of Vserver Netapp1
FQDN or Custom Common Name Class2PrimaryCA
Serial Number of Certificate 85BD4BF3D8DAE369F694D75FC3A54423
Certificate Authority Class 2 Primary CA
Type of Certificate server-ca
Certificate Expiration Date Sat Jul 06 18:59:59 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name DeutscheTelekomRootCA2
Serial Number of Certificate 26
Certificate Authority Deutsche Telekom Root CA 2
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 18:59:00 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name UTN-USERFirst-Hardware
Serial Number of Certificate 44BE0C8B500024B411D3362AFE650AFD
Certificate Authority UTN-USERFirst-Hardware
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 13:19:22 2019
Protocol SSL
Hashing Function SHA1

  • Per the Bug workaround, delete the certificate using the command security certificate delete

::> set advanced
::*> security certificate delete -vserver -common-name Class2PrimaryCA -type server-ca -ca "Class 2 Primary CA" -serial 5BD4BF3D8DAE369F694D75FC3A54423

Note: <TAB> will auto-complete the -serial and the -ca  name should be in double-quotes

What happens if I delete a Truststore Certificate?
  • For the most part, the expired certificate will likely be unused.
  • Deleting the Truststore Certificates might result in some ONTAP applications not functioning as expected (or example: AutoSupport or System Manager).
Can I create the Truststore Certificate with a new expiration date?
  • No, the new certificate must be re-issued by the Certificate Authority and then re-installed.
  • As mentioned above, Truststore Certificates are automatically updated as needed with each ONTAP release.
What is the default AutoSupport certificate? (affects HTTPS)
  • Expiring May 30 , 2020
    • Certificate Authority: AddTrust External CA Root
    • common name: AddTrustExternalCARoot
  • New Certificate May 31, 2020
    • Certificate Authority: AAA Certificate Services
    • common name: AAACertificateServices
  • For more details, refer to What will happen when my Autosupport Certificate expires?

Additional Information

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.