How to install or renew a CA signed certificate using ONTAP System Manager
- Views:
- 19,173
- Visibility:
- Public
- Votes:
- 3
- Category:
- ontap-system-manager
- Specialty:
- om
- Last Updated:
- 5/27/2025, 6:22:32 AM
Applies to
- ONTAP 9.10.1 and above
- ONTAP System Manager
Description
Beginning in ONTAP 9.10.1 and later, you can create, install, renew, and manage Certificate Authority (CA) signed certificates in the ONTAP System Manager user interface.
Procedure
- Login to the ONTAP System Manager user interface
- Select CLUSTER -> Settings
- Scroll down and select the arrow next to Certificates
- Select +Generate Certificate Signing Request (CSR)
5. Click More Options and fill in as needed
- Note:
- Either exclude the Uniform Resource Locator (URL), or fill in the field with the Uniform Resource Locator (URL) (excluding
/sysmgr/v4
). - Domain Name Server (DNS) will be the Fully Qualified Domain Name (FQDN) of the cluster and not the DNS server FQDN. If you want to access system manager securely using the FQDN or the hostname of the individual nodes those should be included and comma-separated.
- If you are creating a CA-signed certificate for multiple nodes, each IP Address you want to include can be comma-separated.
- Modern browsers require the use of the Subject Alternative Names field.
- Either exclude the Uniform Resource Locator (URL), or fill in the field with the Uniform Resource Locator (URL) (excluding
6. Hit Export or copy the contents
Note: Be sure to save the private key for later use
7. Send the Certificate Signing Request (CSR) output to your Certificate Authority (CA) to create the signed digital certificate
Note: Refer to the documentation from your Certificate Authority (CA) for the appropriate procedure
Note: If you need assistance locating your Certificate Authority (CA), go to this KB: How To Locate Your ONTAP Certificate Authority
8. Select the Client/Server Certificate tab in System Manager
9. Click +Add
10. Paste or import the CA signed certificate
11. Filter the System Manager view for the new common name
Take note of the serial number
12. The new certificate can be enabled using the commands below
a. Validate the current certificate
::> certificate show -vserver <vserver> -common-name <common-name>
b.
Modify the current certificate
::> security ssl modify -vserver <vserver> -ca <ca> -serial <serial>