topic Re: Trusted Certificate Authorities - admin - Expired in ONTAP Discussions

Trusted Certificate Authorities - admin - Expired

MooreCE — Wed, 02 Jul 2025 19:27:01 GMT

In ONTAP 9.13.1, in the Trusted Certificate Authorities, one of them is named "admin." I vaguely understand this to be a built-in cert, but it's expired. The scope is at the cluster level, so I'm wondering what the implications are. Just doing a CSR for a CA-signed cert titled "admin" doesn't seem like best practice; but I was also led to believe that this principle may be tied to some critical components of the NetApp. That may be a misnomer given that the name is "admin" which is also the name of the local account. I could use some clarity on this; I'm a bit new to engineering NetApp.

NOTE: Our NetApp is part of an air-gapped network.

Re: Trusted Certificate Authorities - admin - Expired

chamfer — Tue, 08 Jul 2025 23:39:57 GMT

@MooreCE,

From testing the Trusted Certificate Authority "admin" that has the Scope of "Cluster" and Type "Client CA" is created when an ONTAP cluster is connected to NetApp ActiveIQ Unified Manager.

If you do delete it then you just need to through a reissue of certificate from Unified Manager to connect to the NetApp ONTAP array otherwise the ONTAP array will show as not connected in Unified Manager.

This is all within an air-gapped network also.

Re: Trusted Certificate Authorities - admin - Expired

ThorstenP — Thu, 14 Aug 2025 15:33:06 GMT

I got exactly the same problem, but I don't know how to re-issue the AIQUM certificate.

Besides, the AIQUM dashboard comes up with "Cluster discovery failed. Rediscover the cluster after resolving the issue" when started, but anyway the cluster is listed under Settings/Storage Management/Cluster Setup.

Rebooting AIQUM and rediscovering the cluster didn't have any effect.

I also tried the workaround described here:

https://kb.netapp.com/data-mgmt/AIQUM/AIQUM-Issues/CAIQUM-5308

No luck either so I did a rollback.

Getting out of ideas, I'm about to delete the AIQUM VM and reinstall it from scratch, but that might be a waste of time in case the cause of the problem lies somewhere else.

Two event log entries attached. The second one refers to an expired certificate of type server-ca, CA localhost, probably issued by NetApp which I'm also unable to renew. But that might be a completely different story. Or else we've got a general problem here.

We're running AIQUM 9.16 and a 2-node-cluster with ONTAP 9.13.1P6

Re: Trusted Certificate Authorities - admin - Expired

chamfer — Mon, 25 Aug 2025 23:02:24 GMT

If your mutual TLS certificate between AIQUM has expired you perform the following steps:

In the AIQUM left navigation pane, click Storage Management > Cluster Setup.
On the Cluster Setup page, select the cluster you want to edit, and then click Edit.
In the Edit Cluster dialog box, modify the values as required.
If you have modified the details for a cluster added to Unified Manager, you can view the certificate details for Mutual TLS communication, based on the ONTAP version. For more information about ONTAP version, see Certificates for Mutual TLS communication.
You can view the certificate details by clicking Certificate Details. If the certificate is expired, click the Regenerate button to incorporate the new certificate.
Click Submit.
In the Authorize Host dialog box, click View Certificate to view the certificate information about the cluster.
Click Yes.