Skip to main content
NetApp Knowledge Base

How to install or renew a CA signed certificate using ONTAP System Manager

Views:
19,173
Visibility:
Public
Votes:
3
Category:
ontap-system-manager
Specialty:
om
Last Updated:
5/27/2025, 6:22:32 AM

Applies to

  • ONTAP 9.10.1 and above
  • ONTAP System Manager

Description

Beginning in ONTAP 9.10.1 and later, you can create, install, renew, and manage Certificate Authority (CA) signed certificates in the ONTAP System Manager user interface.

Procedure

  1. Login to the ONTAP System Manager user interface
  2. Select CLUSTER -> Settings
  3. Scroll down and select the arrow next to Certificates
  4. Select +Generate Certificate Signing Request (CSR)

CA signed certificate using ONTAP System Manager

5. Click More Options and fill in as needed

CA signed certificate using ONTAP System Manager

  • Note: 
    • Either exclude the Uniform Resource Locator (URL), or fill in the field with the Uniform Resource Locator (URL) (excluding /sysmgr/v4).
    • Domain Name Server (DNS) will be the Fully Qualified Domain Name (FQDN) of the cluster and not the DNS server FQDN.  If you want to access system manager securely using the FQDN or the hostname of the individual nodes those should be included and comma-separated.
    • If you are creating a CA-signed certificate for multiple nodes, each IP Address you want to include can be comma-separated.
    • Modern browsers require the use of the Subject Alternative Names field.

6. Hit Export or ​​​​​copy the contents

Note: Be sure to save the private key for later use

7. Send the Certificate Signing Request (CSR) output to your Certificate Authority (CA) to create the signed digital certificate

Note: Refer to the documentation from your Certificate Authority (CA) for the appropriate procedure

Note: If you need assistance locating your Certificate Authority (CA), go to this KB: How To Locate Your ONTAP Certificate Authority

8. Select the Client/Server Certificate tab in System Manager

9. Click +Add

10. Paste or import the CA signed certificate

11. Filter the System Manager view for the new common name

Take note of the serial number

12. The new certificate can be enabled using the commands below

a. Validate the current certificate

::> certificate show -vserver <vserver> -common-name <common-name>

b. ​​​​​​Modify the current certificate

::> security ssl modify -vserver <vserver> -ca <ca> -serial <serial>

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.