Active IQ Unified Manager Discussions

Renewing a CA-Signed Certificate in ActiveIQ Unified Manager

TMADOCTHOMAS
1,111 Views

Last year we generated a CA-signed cert for ActiveIQ Unified Manager for the first time. We followed the procedure below and it went fine.

 

https://docs.netapp.com/us-en/active-iq-unified-manager/config/task_install_ca_signed_and_returned_https_certificate.html

 

Now we need to renew it, however there don't appear to be any clear instructions on how to renew a CA-signed certificate for AIUM. The following link takes you to articles on how to generate/install a CA-signed cert, renew a self-generated cert, and install/renew a CA cert for System Manager - but nothing about renewing a CA-signed cert for AIUM. Can anyone provide insight into the correct procedures? We've tried a mixture of steps from the articles linked below but nothing is working so far.

 

https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/Active_IQ_Unified_Manager_Certificate_Regeneration_and_Importing_Resolution_Guide

1 ACCEPTED SOLUTION

hamdani
1,022 Views

Thanks for the reply and your comments

 

  1. As you already knows by now that we don't have any document to renew already CA Signed Certificate in AIQUM. We will create one soon...
  2. Best way to go about it is to "reset" AIQUM certificate either by using "maintenance_console > Reset Server Certificate" or from AIQUM web portal "Settings > General > HTTPS Certificates >Regenerate HTTPS Certificate"
  3. Now you can create new CSR and get CA signed using any of KB or Docs available for AIQUM

 

Thanks...

View solution in original post

4 REPLIES 4

hamdani
1,036 Views

Hello...

 

Let us know if any of these article help you with CA signed certificate with AIQUM?

How to generate and convert a signed certificate for Active IQ Unified Manager
https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/How_to_generate_and_convert_a_signed_certificate_for_Active_IQ_Unified_Manager

 

Security Enhancements in Active IQ Unified Manager 9.9 Part 1: Import a Remotely Generated CSR
https://community.netapp.com/t5/Tech-ONTAP-Blogs/Security-Enhancements-in-Active-IQ-Unified-Manager-9-9-Part-1-Import-a-Remotely/ba-p/167583

 

Can Active IQ Unified Manager accept a remotely generated CSR?
https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/Can_Active_IQ_Unified_Manager_accept_a_remotely_generated_CSR

 

How to create a CA signed certificate in AIQUM using OpenSSL with EC/RSA algorithm?
https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/How_to_create_a_CA_signed_certificate_in_AIQUM_using_OpenSSL_with_EC_RSA_algorithm

 

TMADOCTHOMAS
1,033 Views

Thanks @hamdani ! Thoughts on each of these:

 

  • The first link is about installing an initial CA-signed cert in AIUM which we've done. We need to know how to renew it. These procedures don't appear to work for renewal.
  • For the second and third links - is a "remotely generated CSR" the same thing as a "CA-signed cert"? I'm not involved with the team that actually creates the CA-signed certs so I have no idea if this process is applicable or not. I do know they don't use OpenSSL.
  • For the third link, again this shows OpenSSL which our security team doesn't use. Either way, the instructions appear to be stating how to upload a brand new cert rather than renew an existing one.

The general sense I'm getting from the links you sent is that there's a relatively newer way to generate a CA signed cert that doesn't require you to first download a request from a self-generated cert in AIUM. If that's the case, that is probably what we need to do but it's not entirely clear. Thanks again for sending the links!

hamdani
1,023 Views

Thanks for the reply and your comments

 

  1. As you already knows by now that we don't have any document to renew already CA Signed Certificate in AIQUM. We will create one soon...
  2. Best way to go about it is to "reset" AIQUM certificate either by using "maintenance_console > Reset Server Certificate" or from AIQUM web portal "Settings > General > HTTPS Certificates >Regenerate HTTPS Certificate"
  3. Now you can create new CSR and get CA signed using any of KB or Docs available for AIQUM

 

Thanks...

TMADOCTHOMAS
1,013 Views

Thanks @hamdani . I actually wasn't 100% sure you guys didn't have a doc explaining how to renew, thank you for confirming it! By the way, my security guy corrected me and said he does use OpenSSH, so I was mistaken. He's going to try the procedure you linked to earlier.

 

So the new procedure you just mentioned is basically a way to "restart" the process - remove the CA signed cert, replace it with a self-generated one, and use that to request an updated CA signed cert? And at that point it would be the same process we did last year? If so that makes sense, although it is a bit convoluted, but I'll take it lol!

Public