Microsoft Virtualization Discussions

Risk Resolver - Certificate Renew/Recreate

mcgue

Current Version:  1.5

 

Clustered Data ONTAP (also known as ONTAP) uses self-signed certificates by default for management
of the environment. These certificates have a typical expiration date of 1 year (365 days).
This KB describes the process to recreate the certificates:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_an_SSL_certificate_in_ONTAP_9

 

This script handles the steps outlined in the article by doing the following:

  • Connecting to a cluster
  • Collecting all existing certificates
  • Ensuring the certificate is self-signed
  • Deletes the self-signed certificate
  • Creates a new certificate with the same properties as the previous one with a 10 year expiration
  • Configures SSL on the SVM to use the new certificate

 

Article link updated by Admin on Sept 29, 2020.

24 REPLIES 24

mcgue

The new iteration of the script can now be found here:

 

https://www.powershellgallery.com/packages/NetAppSSLCertificateRenew

 

thomasb82

Thank you so much for creating this script and keeping it up to date!!

 

Would it be possible to use credentials from the current session?

We have setup AD authentication on all NetApps and it would be convenient to not get prompted for the admin credentials for each system.

 

Thank you!

 

mcgue

I'm glad it is working well for you.  I wish there was a way to pass AD credentials, but so far it doesn't look like there is a way in PS or the toolkit to do that.

dgwhitecalgary

You can prompt the user for their credentials at the start of the script then use the credential object to pass to cmdlets. I use this technique often. Your cmdlet needs to support a credential parameter though.

 

#Store credentials if needed
if (!($Creds)){Set-Variable -Name Creds -Value (Get-Credential -credential "$env:userdomain\$env:username") -Scope Global -Visibility Public -Option AllScope}

mcgue

Excellent - thank you for the suggestion!


@dgwhitecalgary wrote:

You can prompt the user for their credentials at the start of the script then use the credential object to pass to cmdlets. I use this technique often. Your cmdlet needs to support a credential parameter though.

 

#Store credentials if needed
if (!($Creds)){Set-Variable -Name Creds -Value (Get-Credential -credential "$env:userdomain\$env:username") -Scope Global -Visibility Public -Option AllScope}


 

mcgue

I can't edit this original post anymore, but the updated link to the relevant KB article is here:

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_an_SSL_certificate_in_ONTAP_9 

mcgue

Updated to version 1.5 with these changes:

 

1.5 - Set toolkit import just to import and not check for version (due to new versioning of current releases)
      Added option to check certificates that expire X number of days in the future
      Added a check if there are multiple certificates in the same SVM not to continue if they are of the same common name
      Added more inline comments

EthanQ

When downloading, just do a "save-as" and change the extension to .ps1 or download with the default name and then change the extension to .ps1.

 

That way the formatting doesn't get messed up.

 

Not sure why anybody would even be opening it as a regular text file to copy out the contents to a new file. That is quite pointless and unnessesary.

mcgue

Updated to version 1.4.  Got rid of any need for the Invoke-NcSsh cmdlet and accounted for the new server-ca types added in by default in ONTAP 9.3+.

thomasb82

Excellent work, thank you!

mcgue

Updated to 1.1 with some additional prompts prior to recreating certificates.

mcgue

Updated version to 1.2 to resolve issue with ONTAP 9 and enahancing the checks for self-signed certificates. 

EHooper

Hi

 

Trying to test this at the moment but i getting the following error on the following lines -

 

You cannot call a method on a null-valued expression.
At line:302 char:9
+         $GetCertificateResults = $GetCertificateResults.ToString()

 

and

 

You cannot call a method on a null-valued expression.
At line:304 char:13
+         If ($GetCertificateResults.contains($SerialNumber)) {

 

Do you have any ideas ?

 

Thanks

 

 

===============

 

===============

 

===============

 

 

Edit Ignore This - redownloaded the file and the formatting was fixed.

mcgue

Sorry I wasn't able to respond earlier.  I saw your edit - are you OK now? 

mwt

Getting the same errors as EHooper, unfortunately a redownload didn't correct the issue for me. Any ideas on what could be causing the errors?

 

You cannot call a method on a null-valued expression.
At C:\Users\REDACTED\Downloads\RiskResolverCertificate.ps1:308 char:9
+         $GetCertificateResults = $GetCertificateResults.ToString()
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\Users\REDACTED\Downloads\RiskResolverCertificate.ps1:310 char:13
+         If ($GetCertificateResults.contains($SerialNumber)) {
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

EHooper

Hi

 

You get this error if you open the text file first then then copy it into powershell or ISE. The reason for this is the the line that is below

 

"#sleep between invoke SSH runs to ensure ONTAP is ready"

 

is all bunched up into one line and then the varible will be null because it wont run. When you open the file in ISE originally you will see it like this

 

Line 1 #Only return if shows as self-signed, had to reduce fields for ONTAP to return successfully

 

Line 2 #$GetCertificateCommand = "security certificate show -common-name $CommonName -serial $SerialNumber -ca $CertificateAuthority -type  $Type -size $Size -start $StartDateDT -expiration $ExpirationDateDT -public-cert $PublicCertificate -country $Country -state $State -locality $Locality -organization $Organization -unit $OrganizationUnit -email-addr $EmailAddress -protocol $Protocol -hash-function $HashFunction -self-signed true"       

 

Line 3 - $GetCertificateCommand = "security certificate show -common-name $CommonName -serial $SerialNumber -ca $CertificateAuthority -type  $Type -protocol $Protocol -hash-function $HashFunction -self-signed true"

 

Line - 4 $GetCertificateResults = Invoke-NcSsh $GetCertificateCommand

 

Line - 5 $GetCertificateResults = $GetCertificateResults.ToString()

mcgue

@EHooper

 

Thanks for digging into that!  That's one of the challenges here is that the community site won't allow .ps1 attachments so it has to be text.  Great work - thanks again.

EHooper

Also MCGUE

 

i noticed that there was an error on the following line in your original script -

 

#The script will now check if the current cerificate is node specific
            If (($NumberOfNodes -ne 1 -and $Nodes -contains $Vserver) -or ($NumberOfNodes -eq 1 -and $Nodes.Node -eq $Vserver)) {

 

I had to change it to

 

#The script will now check if the current cerificate is node specific
            If (($NumberOfNodes -ne 1 -and $Nodes.node -contains $Vserver) -or ($NumberOfNodes -eq 1 -and $Nodes.Node -eq $Vserver)) {

 

If the .node isnt added it wont pick up the node names when you have multiple nodes. I tested both ways and .nodes wwas the only one that made it work.

mcgue

@EHooper

 

Your note about the command line, are you using version 1.3 of the script?  That is what should be attached here and that line is different in this version (including the difference you noted with the node parameter).

thomasb82

please ignore this reply, sorry.

Announcements
Register for Insight 2021 Digital

INSIGHT 2021 Digital: Meet the Specialists 2

On October 20-22, gear up for a fully digital, totally immersive virtual experience with a downright legendary lineup of world-renowned specialists. Tune in for visionary conversations, solution deep dives, technical sessions and more.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public