How to renew an ONTAP self-signed SSL certificate via command line

Applies to

• ONTAP 9
• Self-signed certificates

Description

• This article describes the procedure to renew an SSL self-signed certificate on the command line in ONTAP 9 storage systems.
• FPolicy, Anti-Virus, System Manager, or other connections to port 443 (HTTPS) may fail if required certificate expires.

In ONTAP 9.10.1 and later, System Manager can also be used to renew expiring certificates.  See How to renew an ONTAP self-signed certificate in System Manager user interface.

Procedure

Note: If there are any concerns about disruption of HTTPS services, perform this task during a maintenance window.

1. Identify expired or expiring server certificates: 

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server

Example

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server 
vserver common-name serial           ca       type   subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1   affc190     16E3A53D8D90E881 affc190  server -       affc190   Fri Apr 07 10:59:32 2023
svm1    svm1_A      16FD6CBB01F4F813 svm1_A   server -       svm1_A    Fri Jun 30 14:35:51 2022
2 entries were displayed.

2. Create new self-signed certificate:

::> security certificate create -common-name <name> -type server -size 2048 -email-addr <email> -expire-days 365 -protocol SSL -hash-function SHA256 -vserver <svm name>

Example

::> security certificate create -common-name svm1_B -type server -size 2048 -email-addr "admin@nowhere.com"  
-expire-days 365 -protocol SSL -hash-function SHA256 -vserver svm1
  
The certificate's generated name for reference: svm1_B

3. Enable new certificate for SSL use:

::> security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>

Note: Only one server certificate can be enabled for a SVM.  Existing certificate is marked false as part of this this command.

Example

::> security ssl modify -server-enabled true -vserver svm1 -ca svm1_B -serial 16FD31BFCD1F353C
   
Warning: The certificate svm1_B is a self-signed certificate, which offers no verification of identity       
by client machines.  This presents the risk of man-in-the-middle attacks by malicious third-parties.
Do you want to continue? {y|n}: y

4. Verify the certificate is enabled for SSL:

::> security ssl show -common-name <common name>

Example

::> security ssl show -common-name svm1_B
          Serial                        Server  Client
Vserver   Number            Common Name Enabled Enabled      
--------- ----------------  ----------- ------- -------
svm1      16FD31BFCD1F353C  svm1_B      true    false
 Certificate Authority: svm1_B

5. Delete expired certificate:

::> security certificate delete -type server -vserver <svm name> -common-name <common name> -ca <auth> -serial <serial>

Example

::> security certificate delete -type server -vserver svm1 -common-name svm1_A -ca svm1_A -serial 16FD6CBB01F4F813  
  
Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
Do you want to continue? {y|n}: y

 

Additional Information

For other certificate renewal methods, see:

• How to renew a Self-Signed SSL certificate in ONTAP 9

Related links:

• What is the impact of an expired digital certificate used for a Vserver?
• Will disabling a vserver SSL certificate impact CIFS shares in ONTAP 9
• Trying to enable self-signed server ssl certificate fails with "Error: duplicate entry"
• Error message of "mgmtgwd.certificate.expiring" in event log