Skip to main content
NetApp Knowledge Base

What is the RSA key size supported by NetApp with open SSL FIPS?

Views:
1,211
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
CORE
Last Updated:

 

Applies to

  • ONTAP 9
  • NetApp Storage Encryption

Answer

When creating certificates with open SSL FIPS be sure to select a supported size of 2048 or 3072.

Per the man pages for command security certificate create in  ONTAP 9.x:

-size <size of requested certificate in bits> - Size of Requested Certificate in Bits
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible
values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true,
the possible values are 2048 and 3072.

ONTAP will warn you if using the 'security certificate create' command

Example:
Cluster::*> security config show
          Cluster                                              Cluster Security
Interface FIPS Mode  Supported Protocols Supported Ciphers     Config Ready
--------- ---------- ------------------- --------------------- ----------------
SSL       true       TLSv1.2             ALL:!LOW:!aNULL:!EXP: yes
                                         !eNULL:!3DES
Cluster::*> security certificate create -common-name test -size 4096 Error: "4096" is an invalid
value for field "-size "  Valid choices in this command's context: 2048,3072
 
 
Example: If the certificate was created on the KMIP server with a key size of 4096  and then Installed in ONTAP, the following will be
seen when trying to communicate with the KMIP server:

Cluster::> security key-manager show -status
Node                    Port    Registered Key Manager       Status
----------------------  ------  ---------------------------  ---------------
Cluster-node1             5696    10.0.13.91                   unknown
Cluster-node1             5696    10.0.13.92                   unknown
Cluster-node1             5696    10.4.13.95                   unknown
Cluster-node1             5696    10.4.13.96                   unknown
Cluster-node2             5696    10.0.13.91                   unknown
Cluster-node2             5696    10.0.13.92                   unknown
Cluster-node2             5696    10.4.13.95                   unknown
Cluster-node2             5696    10.4.13.96                   unknown
8 entries were displayed
 
Solution: remove the certificate and install a new certificate using a supported RSA key size

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.