Renew TLS/SSL Certificate in ONTAP 9 - Resolution Guide

Applies to

ONTAP 9
TLS/SSL certificates
Admin certificates
SVM/Vserver certificates

Description

This article describes the procedure to renew an SSL self-signed certificate in ONTAP 9 storage systems.
- In ONTAP, the default self-signed certificate expires after 365 days.
- The procedure is similar for other TLS/SSL certificates used by any SVM/Vserver.
- An expired certificate may cause a loss of access to the System Manager web server for management via HTTPS, as well as other issues.

WARNING

On production systems, it is a NetApp best practice to install a CA-signed digital certificate for use in authenticating the cluster or SVM as an SSL server.
If using SAML, then disable SAML before renewing the cluster certificate. After the certificate is renewed, SAML will need to be re-configured again.
- See KB ONTAP System Manager is not accessible after renewing the cluster certificate with SAML enabled for additional information.

Procedure

CA-Signed Certificates:

Version	Resolution
ONTAP 9.10.1 and later	How to install or renew a CA signed certificate using ONTAP System Manager
ONTAP 9 via command line	How to install a Certificate Authority (CA) signed certificate using ONTAP CLI

Self-Signed Certificates:

Version	Resolution
ONTAP 9.10.1 and later	How to renew a self-signed certificate in System Manager
ONTAP 9 via command line	How to renew an ONTAP Self-Signed SSL certificate via command line
ONTAP 9 via power shell	How to renew or recreate an ONTAP self-signed SSL certificate with the NetApp PowerShell Toolkit
Data ONTAP 8.2 7 mode	How to renew an SSL certificate in Data ONTAP 7-Mode

Additional Information

Will disabling a vserver SSL certificate impact CIFS shares in ONTAP 9
CA-signed SSL certificate install with custom certificate name fails with duplicate entry
Trying to enable self-signed server ssl certificate fails with "Error: duplicate entry"
If you are receiving the warning "mgmtgwd.certificate.expiring" and are currently on or upgrading to a version of ONTAP 9.2 or later, see the article FAQ: What is the Certificate Truststore?

Related links: