Network and Storage Protocols

questions about the certificate renew in ontap cluster.

Terry-xiao
843 Views

Hi 

we get error messages as below:

This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.

Install a new digital certificate on the system using the 'security certificate create' or 'security certificate install' command.

[version]

ontap cluster mode
OS Version: 9.8P5


[my analysis]

I found some Self-Signed SSL certificate will expire,and i recommend the below KB.
---------------
How to renew a Self-Signed SSL certificate in ONTAP 9
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier
---------------


but the user also stated that they have other certificates will Expiration.
and would like to know how to review it .

it seems that the below certificate is not a Self-Signed SSL certificate,

Q1:could you please provide information how to determine if it's a Self-Signed SSL certificate or a CA certificate ?
Q2:Could you please share detall info how to renew the CA certificate.


the example is as blow:

------------------- removed private info - AD ------------

=====================================================

 

Thanks and regards

terry

1 ACCEPTED SOLUTION

chamfer
666 Views

Hi Wenhai,

 

Ok, I do understand where you are coming from, but I think you are getting confused between the different types of certificates that ONTAP can configured with.

 

Effectively there are three types of certificates you can have on ONTAP:

  • Public Root Certificates (From ONTAP truststore)
  • CA signed certificates, could be internal company CA or external CA body (e.g. Entrust) and they are provisioned by first going through the CSR process.
  • Self Signed certificates, where ONTAP generates its own certificates using the respective SVM CA.

 

The certificates that you are seeing are root CA certificates as part of ONTAP truststore, which was introduced in ONTAP 9.2.  See more here https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP 

 

The Truststore Certificates are automatically updated as needed as part of every ONTAP release, but you are free to delete them if you do not use them.

 

Back to you original question:

I hope that this helps/make sense.

View solution in original post

5 REPLIES 5

chamfer
807 Views

Hi @Terry-xiao 

 

Q1) Your answer is in your output, its not self-signed as its signed by "[Deleted by moderator]"

Q2) Check this KB https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTA...

Terry-xiao
798 Views

Hi Chamfer,

 

Thanks very much for your update.


Even in my test environment I'm building now, there are 89 entries, but it seems this certificates
are not intentionally registered, but is automatically generated and registered arbitrarily.
(Attach log) So i 'm not sure if we need ask user  to revew these certificates as the KB suggested.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTA...

 

Thanks and regards

wenhai 

 

chamfer
667 Views

Hi Wenhai,

 

Ok, I do understand where you are coming from, but I think you are getting confused between the different types of certificates that ONTAP can configured with.

 

Effectively there are three types of certificates you can have on ONTAP:

  • Public Root Certificates (From ONTAP truststore)
  • CA signed certificates, could be internal company CA or external CA body (e.g. Entrust) and they are provisioned by first going through the CSR process.
  • Self Signed certificates, where ONTAP generates its own certificates using the respective SVM CA.

 

The certificates that you are seeing are root CA certificates as part of ONTAP truststore, which was introduced in ONTAP 9.2.  See more here https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP 

 

The Truststore Certificates are automatically updated as needed as part of every ONTAP release, but you are free to delete them if you do not use them.

 

Back to you original question:

I hope that this helps/make sense.

chamfer
633 Views

Also for those reading this in the future there are three commands to view the certificates on ONTAP:

  • security certificate show-generated
  • security certificate show-truststore
  • security certificate show-user-installed

Hi ,thanks very much for update.

 

Regarding "The Truststore Certificates are automatically updated as needed as part of every ONTAP release,”.

if the system is running version ontap 9.8P5,and update it to the 9.8P12,does the expired one will updaded by ontap version up ? do we need to update the current version to the latest one 9.10.1 to update the certificate?

Also can we perform this version up before any "Truststore Certificate" will expire?

Thanks and regards
Terry

Public