ONTAP Discussions

Error while installing SSL certificate - Certificate with CA .. and Serial-number .. does not exist

sanadmin_stadtdo
993 Views

Hello,

we want to import a new Certificate Authority (CA) signed certificate in our FAS2552 (ONTAP 9.8).

 

After install with "security certificate install -vserver NAME -type -server-ca" and so on, all looks fine:

 

Checking the certificate looked like this:

FAS25521::> security certificate show -cert-name FAS2552n.xxxxxx.de

Vserver    Serial Number   Certificate Name                       Type

---------- --------------- -------------------------------------- ------------

FAS2552x   6D00015BC54A82ECA7B2ECE64C0002nnnnnnnn

                           FAS2552n.xxxxxx.de                    server-ca

    Certificate Authority: xxxxxxxxxx Systemhaus Enterprise CA nn

          Expiration Date: Fri Dec 09 11:49:53 2022

FAS25521::>

 

But if we want to modify the SSL security configuration for the cluster SVM to use the new certificate we got an Error:

FAS2552x::> security ssl modify -vserver FAS2552n -serial 6D00015BC54A82ECA7B2ECE64C0002nnnnnnnn -ca "xxxxxxxxxx Systemhaus Enterprise CA nn" -server-enabled true

Error: command failed: Certificate with CA: "xxxxxxxxxx Systemhaus Enterprise CA nn" and Serial-number: "6D00015BC54A82ECA7B2ECE64C0002nnnnnnnn" does not exist.

FAS2552x::>

 

Although CA and serial number are correct, a certificate with this information allegedly does not exist.

 

But also, when I display the certificate via the serial number, I get the following

FAS25521::> security certificate show -serial 6D00015BC54A82ECA7B2ECE64C0002nnnnnn -fields serial, ca
vserver common-name serial ca type subtype cert-name
-------- ------------------- -------------------------------------- ---------------------------------------- --------- ------- -------------------
FAS2552n FAS2552n.xxxxxx.de 6D00015BC54A82ECA7B2ECE64C0002nnnnnn "xxxxxxxxxx Systemhaus Enterprise CA nn" server-ca - FAS2552n.xxxxxx.de

FAS25521::>

 

Actually everything correct - or not ? What is wrong?

 

Any ideas?

 

Thanks a lot

 

Best regards 

 

Michael

 

 

1 ACCEPTED SOLUTION

TMACMD
954 Views

You installed the Certificate Authority certificate. You still need a -per SVM- SERVER certificate.

You can use ONTAP to generate a cert request then send the req to the CA. INstall the resulting server CERT into the SVM and then enable SSL using the SERVER CERT (not the Server-CA)

 

View solution in original post

3 REPLIES 3

Ontapforrum
965 Views

TMACMD
955 Views

You installed the Certificate Authority certificate. You still need a -per SVM- SERVER certificate.

You can use ONTAP to generate a cert request then send the req to the CA. INstall the resulting server CERT into the SVM and then enable SSL using the SERVER CERT (not the Server-CA)

 

sanadmin_stadtdo
793 Views

Hello,
thank you very much for your message.

The error was when installing the certificate with -type server-ca - this was of course wrong. With type server it worked.

 

Thanks a lot.

Best regards

 

Michael

Public