Accepted Solution

Can't add a cluster

I just installed OCUM 6.1 and I am trying to add some clusters.  I added the first one without a problem, but when I tried to install the second one it complained that the self signed certificate had expired.  Sure enough I logged on to the cluster and the certificate was expired.  I used the following command to create a new certificate:

security certificate create -vserver add-n1-nas2 -common-name add-n1-nas2.cert -expire-days 365 -type server

Unfortunately I still received the error that the certificate was expired.  I figured it was still using the older certificate so I deleted the old one.  Apparently that was a mistake, because now OCUM is simply stating "Cannot establish communication to the host <IP> over SSL".  I tried disabling and enabling the "portal" and "ontapi" web services, (hoping that would restart the web server) all to no avail.

Anyone have any ideas what is going on?  And/or what to look at to figure this out?



Re: Can't add a cluster

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping


Re: Can't add a cluster

Yes, thank you!  Following the idea of the KB resolved the issue.  I said "Following the idea" because I assume those instructions were written for 8.1 because they are slightly different for 8.2.  Regardless, it pointed out that I had to enable the "ssl service" after I removed the certificate.


Re: Can't add a cluster

Am glad that you are able to add cluster to ocum 6.1 now.

i will ask the kb team to update the kb article for 8.2 as well.

Thank you for the feedback.


Re: Can't add a cluster

[ Edited ]

Hi Venka,


I am having a different issue with certificate creation. I am supposed to create a certificate for our storage nodes, but when I use the create certificate commands, I get this error:


command failed: cannot store certificate.


I do not know what is the cause of the error but these storage nodes are not vservers, and in the KB you sent, certificate creation specifies a vserver:


    security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256


Do you have an idea how can I fix this issue?


Thank you!




Re: Can't add a cluster

What version of ONTAP?


I've been able to execute your syntax on my lab cluster with no issues.


Your common-name does not require the .cert extention.  It works but it isn't required here and really doesn't fit the below from the man page:



-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person.
Try setting expiredays to 3644 or less.  I've seen a release that doesn't like 3690 through the ONTAPI and I assume that it would occur on the command line as well.

Re: Can't add a cluster

[ Edited ]

I quickly created this powershell script to reissue expired or expiring certificates after one of my customers had several clusters with expired certs.  Just script out the connections to the clusters and have it call this function once connected and it will push out all the expiration dates.



#REQUIRES -Version 4.0 -Modules DATAONTAP
function update-netappCertificates{
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

    update-netappCertificates -Years 2







        $ErrorActionPreference = 'stop'
        $today = Get-Date
        $date = $today.AddYears($Years)
        $days = 3644

        Write-verbose "Today is $today"
        Write-verbose "Looking for certificates before $date"
        $certificates = Get-NcSecurityCertificate
        foreach($certificate in $certificates){
            if($certificate.expirationDateDT -le $date){
                    New-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size -Country $certificate.Country -ExpireDays $days -HashFunction $certificate.HashFunction -Confirm:$false
                    Remove-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -SerialNumber $certificate.SerialNumber -Type $certificate.Type -CertificateAuthority $certificate.CertificateAuthority -Confirm:$false

                catch {
                    write-debug "error"
                    write-error "something happened"
                    write-error $_

                $newcert = Get-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size


                    Set-NcSecuritySsl -Vserver $certificate.Vserver -CertificateAuthority $newcert.CertificateAuthority -CertificateSerialNumber $newcert.SerialNumber -EnableClientAuthentication $false -EnableServerAuthentication $true -Confirm:$false | Out-Null
                    write-host "$($certificate.CommonName) on $($certificate.Vserver) serial number $($certificate.SerialNumber) has been replaced by $($newcert.SerialNumber) which will expire $($newcert.ExpirationDateDT)"
                    write-verbose "Certificate $($certificate.CommonName) from vserver $($certificate.Vserver) with expiration of $($certificate.ExpirationDateDT) and serial $($certificate.SerialNumber) has been updated to $($newcert.expirationDateDT) and Serial Number of $($newcert.SerialNumber)"

	END {




Re: Can't add a cluster

Hi, our ONTAP version is 8.3.1 and by the way, I have managed to fix this problem already.


Node certificate is not required in ONTAP 8.3.1, cluster certificate is enough according to this KB: