Active IQ Unified Manager Discussions

ONTAP 9.1 System Manager and CA signed certificates

orametrix
16,876 Views

We just got our shiny new FAS2650, running ONTAP 9.1RC2.  We're still climbing the learning curve about clustered ONTAP (everything previous to this is still running 7-mode).

 

We're running the System Manager with ONTAP using a self-signed SSL certificate.  However, it would be nice to use a CA signed certificate, so I don't have to listen to Chrome whine and complain every time I start the system manager.  Anything I can do to save a couple extra clicks (every time I have to fire up the manager)...

 

We've got a wildcard certificate for our company that we've loaded into the filer (including the complete certificate chain going back to the CA).  The thing that that I haven't figured out how to do yet is tell the system manager to use the new certificate.  The documentation is a bit lacking in this matter (or I haven't found the right document yet).

 

Has anyone else figured out how to do this?

 

Thanks

 

Patrick

1 ACCEPTED SOLUTION

niels
16,862 Views

Hi Patrick,

 

not only do you need to install the signed certificate, but you also have to assosiate that certificate to the web service.

Basically you could install seperate certificates for various services in the cluster.

 

I found the following KB article useful every tim I had to deal with certifiatces.

https://kb.netapp.com/support/s/article/how-to-renew-an-ssl-certificate-in-clustered-data-ontap?t=1486136032325

 

It only talks about renewing the self-signed certificates, but it should give you a good hint what to do with your externally signed cert.

Command-wise use everything that's labeled "8.2" or "8.3". The article is not yet updated to 9.1 but commands work.

 

Kind regards, Niels

 

---------------------

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both.

View solution in original post

3 REPLIES 3

niels
16,863 Views

Hi Patrick,

 

not only do you need to install the signed certificate, but you also have to assosiate that certificate to the web service.

Basically you could install seperate certificates for various services in the cluster.

 

I found the following KB article useful every tim I had to deal with certifiatces.

https://kb.netapp.com/support/s/article/how-to-renew-an-ssl-certificate-in-clustered-data-ontap?t=1486136032325

 

It only talks about renewing the self-signed certificates, but it should give you a good hint what to do with your externally signed cert.

Command-wise use everything that's labeled "8.2" or "8.3". The article is not yet updated to 9.1 but commands work.

 

Kind regards, Niels

 

---------------------

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both.

orametrix
16,857 Views

Thanks for the pointer, Neils.  That got me where I needed to go.

 

I was wondering if the certificate would be bound specifically to the system manager, but the only entries I saw were for the SVMs, so I just went with it for the management SVM and I get a happy green SSL indicator from Chrome now.

 

Appreciate the help.

thomas382
12,041 Views

Hello;

 

I am using cdot 9.3 and get the advice from mysupport for the expired certificate issue:KB ID: 27617

 

 

The output of the commands for 8.2 are different and i want to ask for the correct linked version of the document.

Thanks in advance, Greetings, Thomas

 

.

 

 

Public