How to install or renew a CA signed certificate using ONTAP System Manager

Applies to

• ONTAP 9.10.1 and above
• ONTAP System Manager

Description

Beginning in ONTAP 9.10.1 and later you can create, install, renew and manage Certificate Authority (CA) signed certificates in the ONTAP System Manager user interface

Procedure

1. Login to the ONTAP System Manager user interface
2. Select CLUSTER -> Settings
3. Scroll down and select the arrow next to Certificates
4. Select +Generate CSR
5. Click More Options and fill in as needed
   • 
   • Note: Either exclude the URI, or fill in the field with the System Manager URL (excluding /sysmgr/v4).
   • Note: DNS server will be the FQDN of the cluster and not the DNS server FQDN. 
   • Note: Modern browsers require the use of the Subject Alternative Names field.
6. Hit Export or ​​​​​copy the contents
   1. NOTE: Be sure to save the private key for later use
7. Send the CSR output to your CA to create the signed digital certificate
   1. Refer to documentation from your CA for the appropriate procedure
8. Select the Client/Server Certificate tab in System Manager
9. Click +Add
10. Paste or import the CA signed certificate
11. Filter the System Manager view for the new common name
    • Take note of the serial number
12. The new certificate can be enabled using the commands below
    1. Validate the current certificate
       • ::> certificate show -vserver <vserver> -common-name <common-name>
         Copied
    2. Modify the current certificate
       • ::> security ssl modify -vserver <vserver> -ca <ca> -serial <serial>
         Copied

Additional Information

• How to install a Certificate Authority (CA) signed certificate using ONTAP CLI
• How to renew a Self-Signed Certificate in ONTAP 9
• ONTAP System Manager Certificate shows as ​​​​​​"Not Secure" after installing CA signed certificate