<# The script deletes the Self-Signed SERVER (-type server) Certificate and applies an issued Certificate to the SVMs/vservers. To replace the Self-Signed SERVER Certificate with the issued Certificate manually, the following commands need to be run to replace the Self-Sign Certificate with an issued certificate per SVM. security certificate show -vserver -type server -instance security certificate delete -vserver -common-name -type server -serial -ca security certificate show -vserver -type server -instance security certificate install -vserver -type server security certificate show -vserver -type server -instance --> to get the new serial number security ssl show -vserver -instance security ssl modify -server-enabled true -client-enabled false -ca "Newly Issued CA" -serial -common-name -vserver security ssl show -vserver -instance Below script automates the process on all SVMs in the cluster one at a time assuming you are using one certificate to all SVMs using an issued wildcard certificate. The script workflow is as follows: 1) Creates a folder for each SVM as it progresses. 2) Copies the existing SSL/Cert of the SVM into a file and saves it into the SVM folder. 3) Deletes the existing/default cert. If successful, it will create an empty file (Deleting_SSLcert_was_successful.txt) in that SVM folder. This is just conformational only. 4) Applies the issued certificate and copies the newly applied SSL/Cert information of the SVM into a new file and saves it in the same SVM folder. 5) Modifies the SVM to use the new SSL/Cert settings. The process with continue until all SVMs are processed. If it fails to delete the existing/default cert for any reason, it will skip that SVM and will proceed with next SVM. If the script completes, but there is no "Deleting_SSLcert_was_successful.txt" file in the SVM folder, either the script was not able to delete the existing cert due any reason or there was no cert on that SVM. Audit can be done by navigating to each SVM folder and comparing "Deleting_SSLcert_was_successful.txt" and "AfterChangingSSLCert_$vserver.txt" files #> # Clear the screen # cls # Loading NetApp modules import-module dataontap # Login into system. The process will abort if invalid credentials are provided $cluster = "" #Replace with your cluster IP or hostname Connect-NcController "$cluster " if (!$global:CurrentNcController){ write-output "invalid credentials" Break } # Creating folder with the cluster name on the user's desktop location $folderPath = "$($env:USERPROFILE)\desktop\$cluster" New-Item -Path $folderPath -ItemType Directory # Building required variables for PowerShell commands $vservers = Get-NcVserver | Where-Object { $_.VserverType.Equals("data")} $mainCert = (Get-Content -path "Path to the location of MAIN.crt" | Out-String).trim() #Replace with path to Issued Server certificate $privKey = (Get-Content -path "Path to the location of Private.txt" | Out-String).trim() #Replace with path to Private Key $chainCA = (Get-Content -path "Path to the location of Issuing-Chain-CA.crt" | Out-String).trim() #Replace with path to issuing server cert $chain = (Get-Content -path "Path to the location of Policy-Chain.crt" | Out-String).trim() #Replace with path to intermediate CA $root = (Get-Content -path "Path to the location of Root.crt" | Out-String).trim() #Replace with path to Root CA $IntermediateCerts = "" $next = 0 # Chaining all intermediate certificates $Stringarray = @($chainCA, $chain, $root) foreach ($element in $Stringarray) { if($next){ $IntermediateCerts += "`n" + $element } else { $next = 1 $IntermediateCerts += $element } } <# This function acts as "security ssl modify" command in CLI. Since there is a bug in Set-NcSecuritySsl, I am using an API call instead. I have used the following link to create Set-NCSecuritySSLviaAPI funtion: https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/quot-The-expression-is-missing-a-value-quot-with-Set-NcSecuritySsl-Get/td-p/127016 Unfortunately, the content of below function cannot be intended because it is an API call. #> function Set-NCSecuritySSLviaAPI(){ $request = @" $($SSLInfo.CertificateAuthority) $($SSLInfo.SerialNumber) $($SSLInfo.CommonName) true false $vserver "@ Invoke-NcSystemApi -VserverContext $vserver -Request $request } # This function will install the newly issued SSL/Cert and Modifies the SVMs to use the new SSL/Cert Settings function Install-NCSignedCert(){ # Applying the new Cert Install-NCSecurityCertificate -vserver $vserver -type server -certificate $mainCert -privateKey $privKey -IntermediateCertList $IntermediateCerts # Applying 2 seconds pause. Start-Sleep -s 2 # Reading the new SSL/Cert information $SSLInfo = Get-NcSecurityCertificate -vserver $vserver -Type "server" # Writing the output to a new file for auditing or backup information Get-SSLInfo $SSLInfo | Out-File -filepath AfterChangingSSLCert_$vserver.txt # Finally, modifying the SVM to use the new SSL/Cert Settings. # due to an open bug (https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1074255), we are not going to use Set-NcSecuritySsl for now. # Instead of using below command, we will use API call to force the SVMs to use the new SSL/Cert setting using “Set-NCSecuritySSLviaAPI” function #Set-NcSecuritySsl -Vserver "test_svm" -CertificateAuthority $SSLInfo.CertificateAuthority -CertificateSerialNumber $SSLInfo.SerialNumber ` #-CommonName $SSLInfo.CommonName -EnableServerAuthentication $true -EnableClientAuthentication $false -Confirm:$false | Out-Null # API call function to be used instead of "Set-NcSecuritySsl" until the bug is fixed Set-NCSecuritySSLviaAPI } # This function will generate the same output as "security certificate show -vserver -type server -instance" in CLI. # The output will be used to create "Deleting_SSLcert_was_successful.txt" and "AfterChangingSSLCert_$vserver.txt" files function Get-SSLInfo() { Param ( [Parameter(Mandatory=$true, Position=0)] [object] $SSLInfo ) $startDate = $SSLInfo.StartDateDT | Get-Date -Format "ddd MMM dd HH:mm:ss yyyy" $expireDate = $SSLInfo.ExpirationDateDT | Get-Date -Format "ddd MMM dd HH:mm:ss yyyy" $SSLoutput = "$vserver" + "`n" + $SSLInfo.CommonName + "`n" + $SSLInfo.SerialNumber + "`n" + $SSLInfo.CertificateAuthority ` + "`n" + $SSLInfo.Type + "`n" + $SSLInfo.Size + "`n" + "$startDate" + "`n" + "$expireDate" + "`n" + $SSLInfo.PublicCertificate ` + "`n" + $SSLInfo.Country + "`n" + $SSLInfo.State + "`n" + $SSLInfo.Locality + "`n" + $SSLInfo.Organization ` + "`n" + $SSLInfo.OrganizationUnit + "`n" + $SSLInfo.EmailAddress + "`n" + $SSLInfo.Protocol + + "`n" + $SSLInfo.HashFunction + "`n" + $SSLInfo.Subtype return $SSLoutput } <# This section of code calls related functions to 1) Saves the existing Certificate information of the SVM into a file 2) Deletes The Self-Signed SERVER Certificate - Same as "security certificate delete -type server" command in CLI 3) Applies The Newly Issued Certificate to the SVM - Same as "security certificate install" command in CLI 4) Modifies related SSL Settings - Same as "security ssl modify" command in CLI #> foreach ($vserver in $vservers){ # Filters only SVMs with MGMT LIF $lif = $vserver | get-ncnetinterface | Where-Object InterfaceName -like "*mgmt" if($lif){ Set-Location -Path $folderPath if(!(test-path "$folderPath\$vserver")){ $vserverFolder = "" $vserverFolder = $folderPath, $vserver -join "\" New-Item -Path $vserverFolder -ItemType Directory Set-Location -Path $vserverFolder $SSLInfo = Get-NcSecurityCertificate -vserver $vserver -Type "server" if($SSLInfo -eq $null){ Write-Output "No Existing Certificate Found" Install-NCSignedCert } else { Get-SSLInfo $SSLInfo | Out-File -filepath BeforeChangingSSLCert_$vserver.txt Remove-NcSecurityCertificate -Vserver "$vserver" -Type $SSLInfo.Type -CommonName $SSLInfo.CommonName -SerialNumber $SSLInfo.SerialNumber -CertificateAuthority $SSLInfo.CertificateAuthority -confirm:$false if($?){ # After Delete command succeed, it creates an empty file; This is just for confirmation only Out-File -filepath Deleting_SSLcert_was_successful.txt Install-NCSignedCert }else { Write-Output "Certificate Deletion command failed. Existing Certificate Found but other error occured" continue } } } } # Pause the process for 55 seconds, so it gives us enough time to check on the BeforeChangingSSLCert_$vserver.txt and AfterChangingSSLCert_$vserver.txt. # In case something is wrong, we can cancel the script and it won’t apply it to the next/all SVMs -- this is for verification of the correct settings to the 1st SVM # Comment below line to remove pause between SVMs Start-Sleep -s 55 }