https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436491#M9734 <P>Hi&nbsp;</P><P>we get error messages as below:</P><P>This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.</P><P>Install a new digital certificate on the system using the 'security certificate create' or 'security certificate install' command.</P><P>[version]</P><P>ontap cluster mode<BR />OS Version: 9.8P5</P><P><BR />[my analysis]</P><P>I found some Self-Signed SSL certificate will expire,and i recommend the below KB.<BR />---------------<BR />How to renew a Self-Signed SSL certificate in ONTAP 9<BR /><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier" target="_blank" rel="noopener">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier</A><BR />---------------</P><P><BR />but the user also stated that they have other certificates will Expiration.<BR />and would like to know how to review it .</P><P>it seems that the below certificate is not a Self-Signed SSL certificate,</P><P>Q1:could you please provide information how to determine if it's a Self-Signed SSL certificate or a CA certificate ?<BR />Q2:Could you please share detall info how to renew the CA certificate.</P><P><BR />the example is as blow:</P><P>------------------- removed private info - AD ------------</P><P>=====================================================</P><P>&nbsp;</P><P>Thanks and regards</P><P>terry</P> Wed, 04 Jun 2025 09:59:03 GMT Terry-xiao 2025-06-04T09:59:03Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436491#M9734 <P>Hi&nbsp;</P><P>we get error messages as below:</P><P>This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.</P><P>Install a new digital certificate on the system using the 'security certificate create' or 'security certificate install' command.</P><P>[version]</P><P>ontap cluster mode<BR />OS Version: 9.8P5</P><P><BR />[my analysis]</P><P>I found some Self-Signed SSL certificate will expire,and i recommend the below KB.<BR />---------------<BR />How to renew a Self-Signed SSL certificate in ONTAP 9<BR /><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier" target="_blank" rel="noopener">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier</A><BR />---------------</P><P><BR />but the user also stated that they have other certificates will Expiration.<BR />and would like to know how to review it .</P><P>it seems that the below certificate is not a Self-Signed SSL certificate,</P><P>Q1:could you please provide information how to determine if it's a Self-Signed SSL certificate or a CA certificate ?<BR />Q2:Could you please share detall info how to renew the CA certificate.</P><P><BR />the example is as blow:</P><P>------------------- removed private info - AD ------------</P><P>=====================================================</P><P>&nbsp;</P><P>Thanks and regards</P><P>terry</P> Wed, 04 Jun 2025 09:59:03 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436491#M9734 Terry-xiao 2025-06-04T09:59:03Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436496#M9735 <P>Hi <a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/94406">@Terry-xiao</a>&nbsp;</P><P>&nbsp;</P><P>Q1) Your answer is in your output, its not self-signed as its signed by "[Deleted by moderator]"</P><P>Q2) Check this KB <A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTAP_for_System_Manager_use" target="_blank" rel="noopener">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTAP_for_System_Manager_use</A></P> Wed, 13 Jul 2022 04:01:44 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436496#M9735 chamfer 2022-07-13T04:01:44Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436499#M9736 <P>Hi Chamfer,</P><P>&nbsp;</P><P>Thanks very much for your update.</P><P><BR />Even in my test environment I'm building now, there are 89 entries, but it seems this certificates<BR />are not intentionally registered, but is automatically generated and registered arbitrarily.<BR />(Attach log) So i 'm not sure if we need ask user&nbsp; to revew these certificates as the KB suggested.</P><P>&nbsp;</P><P><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTAP_for_System_Manager_use" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTAP_for_System_Manager_use</A></P><P>&nbsp;</P><P>Thanks and regards</P><P>wenhai&nbsp;</P><P>&nbsp;</P> Thu, 07 Jul 2022 09:38:11 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436499#M9736 Terry-xiao 2022-07-07T09:38:11Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436633#M9737 <P>Hi Wenhai,</P><P>&nbsp;</P><P>Ok, I do understand where you are coming from, but I think you are getting confused between the different types of certificates that ONTAP can configured with.</P><P>&nbsp;</P><P>Effectively<SPAN>&nbsp;there are three types of certificates you can have on ONTAP:</SPAN></P><UL><LI><SPAN>Public Root Certificates (From ONTAP truststore)</SPAN></LI><LI><SPAN>CA signed certificates, could be internal company CA or external CA body (e.g. Entrust) and they are provisioned by first going through the CSR process.</SPAN></LI><LI><SPAN>Self Signed certificates, where ONTAP generates its own certificates using the respective SVM CA.</SPAN></LI></UL><P>&nbsp;</P><P>The certificates that you are seeing are root CA certificates as part of ONTAP truststore, which was introduced in ONTAP 9.2.&nbsp; See more here&nbsp;<A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP</A>&nbsp;</P><P>&nbsp;</P><P><SPAN>The Truststore Certificates are automatically updated as needed as part of every ONTAP release, but you are free to delete them if you do not use them.</SPAN></P><P>&nbsp;</P><P>Back to you original question:</P><UL><LI>If you have root CA certificates expiring, upgrading ONTAP will resolve this OR you could just delete them.</LI><LI>If you have CA signed certificates you need to go through the CSR process to get new certificates</LI><LI>If you have self-signed certificates expiring go through the process&nbsp;<A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier" target="_blank" rel="noopener noreferrer">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier</A></LI></UL><P>I hope that this helps/make sense.</P> Wed, 13 Jul 2022 02:05:44 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436633#M9737 chamfer 2022-07-13T02:05:44Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436639#M9738 <P>Also for those reading this in the future there are three commands to view the certificates on ONTAP:</P><UL><LI>security certificate show-generated</LI><LI>security certificate show-truststore</LI><LI>security certificate show-user-installed</LI></UL> Wed, 13 Jul 2022 04:32:42 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/436639#M9738 chamfer 2022-07-13T04:32:42Z https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/437057#M9740 <P>Hi ,thanks very much for update.</P><P>&nbsp;</P><P>Regarding "<SPAN>The Truststore Certificates are automatically updated as needed as part of every ONTAP release,”</SPAN>.</P><P>if the system is running version ontap 9.8P5,and update it to the 9.8P12,does the expired one will updaded by ontap version up ? do we need to update the current version to the latest one 9.10.1 to update the certificate?</P><P>Also can we perform this version up before any "Truststore Certificate" will expire?</P><P>Thanks and regards<BR />Terry</P> Tue, 02 Aug 2022 01:30:55 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/questions-about-the-certificate-renew-in-ontap-cluster/m-p/437057#M9740 Terry-xiao 2022-08-02T01:30:55Z