What is the Certificate Truststore in ONTAP?
Applies to
- ONTAP 9
- AutoSupport
Answer
What is the Certificate Truststore?
Beginning with ONTAP 9.2, a set of trusted root CA certificates were introduced in ONTAP's certificate management so that the admin SVM can allow applications running in ONTAP to seamlessly establish TLS connections to external entities. Each certificate has an expiration date associated with it.
When are the Truststore Certificates installed?
The Truststore Certificates are installed only on the admin SVM during an ONTAP install of 9.2, or during an upgrade to ONTAP 9.2. The Truststore Certificates bundle is also updated in newer versions of ONTAP.
How can I view the installed Truststore Certificates?
You can view the Truststore Certificates that are installed on the admin SVM by using the security certificate show command:security certificate show -vserver * -type server-ca
Note: The security certificate show -vserver * -type server-ca will show both user-installed as well as the Truststore Certificates. From ONTAP 9.4 and later, security certificate show-truststore can be used to view only the default Truststore Certificates.
ONTAP 9 Documentation Center
- Display default Truststore Certificates: security certificate show-truststore
- Display user-installed certificates: security certificate show-user-installed
What happens if a Truststore Certificate expires?
If the Truststore Certificate expires, you can choose to delete it or leave it installed. The Truststore Certificates are automatically updated as needed as part of every ONTAP release. This is also explained in Bug 1245418.
ONTAP Event Management System (EMS) will report the following:
... starting 30 days prior to expiration:
Example:
Tue Jul 09 00:00:01 CEST [node1: mgwd: mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver ADMIN-SVM will expire in the next 10 day(s).
Currently, there are three known certificates that have expired as of July 2019. These Truststore Certificates have been reviewed by NetApp and can be safely deleted.
Name of Vserver Netapp1
FQDN or Custom Common Name Class2PrimaryCA
Serial Number of Certificate 85BD4BF3D8DAE369F694D75FC3A54423
Certificate Authority Class 2 Primary CA
Type of Certificate server-ca
Certificate Expiration Date Sat Jul 06 18:59:59 2019
Protocol SSL
Hashing Function SHA1
Name of Vserver Netapp1
FQDN or Custom Common Name DeutscheTelekomRootCA2
Serial Number of Certificate 26
Certificate Authority Deutsche Telekom Root CA 2
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 18:59:00 2019
Protocol SSL
Hashing Function SHA1
Name of Vserver Netapp1
FQDN or Custom Common Name UTN-USERFirst-Hardware
Serial Number of Certificate 44BE0C8B500024B411D3362AFE650AFD
Certificate Authority UTN-USERFirst-Hardware
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 13:19:22 2019
Protocol SSL
Hashing Function SHA1
Per the Bug workaround, delete the certificate using the command security certificate delete
Example:
::> set advanced
::*> security certificate delete -vserver
Note: <TAB> will auto-complete the -serial and the -ca name should be in double-quotes
What happens if I delete a Truststore Certificate?
For the most part, the expired certificate will likely be unused. Deleting the Truststore Certificates might result in some ONTAP applications not functioning as expected (for example: AutoSupport or System Manager).
Can I create the Truststore Certificate with a new expiration date?
No, the new certificate must be technically re-issued by the Certificate Authority, and then re-installed. But as mentioned above, the Truststore Certificates are automatically updated as needed as part of every ONTAP release.
Additional Information
Related link: