ONTAP Discussions

Certificate Auto Renewal

Anandk6
1,652 Views

History: Customer had a query that they see the certificates (type server and server-ca) in the system (in GUI - OCSM). They wanted to know the need of these certificates and what if they are not renewed.
There was a zoom call scheduled where the customer said that they do not use any of them except 1 or 2, and they are happy tto renew them. But for others, as they are not needed and if it is needed for NetApp to work properly, why is the liability left on customer to renew them. IT should be taken care by Netapp and they should should not be putting Man hours for the renewal of certificates used by NetApp.

Need answers for:
 On the Trusted Certificates –
o How are they handled in NetApp
o Why are they there
 How does auto renewal of certificates happen during ontap upgrade?
 Customer had ontap upgrade done in the month of August, but the certificate is expiring in November and December. Why was it not auto upgraded?
Need supporting documents regarding the explanation, if possible, else logs for the same.

Thank you!
Regards,
Anand Krishna

1 ACCEPTED SOLUTION

Ontapforrum
1,498 Views

Hi Anand,

 

That's a good question.

 

Why are there so many certificates needed and how are they auto upgraded?

Unfortunately, I don't know the reason, I am sure Engineering has thought through it and there must be some solid reason behind it.

 

According to this KB: "NetApp pursued an approach to simplify use of security certificates by bundling several trusted root certificate authority certificates with ONTAP." I guess, the object is to automatically upgrade certificates without having to track it.
https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU385

 


There are multiple certificates in the Truststore and they are all root certificates, depending on what service has a dependency on the root certificate would probably stop working when the certificate expires. You should not have a signed certificate (via CSR) from a root/signing CA with a validity that exceeds the root/signing CA expiration date. Do we need to upgrade the ontap release to the new one to update the expired one to the latest Certificates? Yes.
https://community.netapp.com/t5/ONTAP-Discussions/The-questions-about-the-Certificate-Truststore-in-ONTAP/m-p/436592

 

If you are from NetApp, try and reach out to relevant team with your specific queries. If you are customer/partner, may be raise a NetApp ticket might help in getting answers to your specific queries.

 

Thanks!

View solution in original post

5 REPLIES 5

Ontapforrum
1,578 Views

Check out following articles..

 

What is the Certificate Truststore in ONTAP?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP

 

What happens if a Truststore Certificate expires?
If the Truststore Certificate expires, you may decide to delete it or leave it alone. The Truststore Certificates are automatically updated as needed as part of every ONTAP release.
This is also explained in NetApp Support Site - BURT - 1245418

 

What will happen when my Autosupport Certificate in ONTAP expires?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_will_happen_when_my_Autosupport_Certificate_in_ONTAP_expires%3F

 

Anandk6
1,572 Views

Hello Ashwin,

Thanks for the KB and the response. However, the questions for which answers are needed is not answered  in this KB. For example - 

 

Why are there so many certificates needed and how are they auto upgraded?
If any certificate is not used by customer and not auto updated during upgrade, is there any need for them to be upgraded manually?

Ontapforrum
1,499 Views

Hi Anand,

 

That's a good question.

 

Why are there so many certificates needed and how are they auto upgraded?

Unfortunately, I don't know the reason, I am sure Engineering has thought through it and there must be some solid reason behind it.

 

According to this KB: "NetApp pursued an approach to simplify use of security certificates by bundling several trusted root certificate authority certificates with ONTAP." I guess, the object is to automatically upgrade certificates without having to track it.
https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU385

 


There are multiple certificates in the Truststore and they are all root certificates, depending on what service has a dependency on the root certificate would probably stop working when the certificate expires. You should not have a signed certificate (via CSR) from a root/signing CA with a validity that exceeds the root/signing CA expiration date. Do we need to upgrade the ontap release to the new one to update the expired one to the latest Certificates? Yes.
https://community.netapp.com/t5/ONTAP-Discussions/The-questions-about-the-Certificate-Truststore-in-ONTAP/m-p/436592

 

If you are from NetApp, try and reach out to relevant team with your specific queries. If you are customer/partner, may be raise a NetApp ticket might help in getting answers to your specific queries.

 

Thanks!

Anandk6
1,475 Views

Thank you!

AlexDawson
1,471 Views

Hi Anandk6, you've posted this in a public area of the forums. Was this your intention?

 

SSL Certificates are used to authenticate API access to SVMs. It is a minor concern when they expire, but they are listed as a risk due to some customers caring a lot about it. When inside ONTAP, they are a manual renewal as some of our customers use enterprise (internal) PKI to sign all certificates, and it's a minor issue if the certificates expire in other environments.

 

Could we add code to detect if a self signed certificate is being used and renew automatically? potentially, but I feel the effort to do so in the right situations is not offset by the impact of certificates not being renewed in non-enterprise PKI environments, which is effectively zero. 

Public