ONTAP Discussions

ONTAP and Windows CA signed certificate - HOW-TO

52DevOps
4,794 Views

Creating a CSR and submitting it to the CA for a certificate is the easy part.

 

My question is as follows:

 

The Microsoft CA (internal) has multiple templates available, the templates serve various purposes such as client authentication, server authentication, code signing etc. (key usage, application policies). Which template should be used when submitting the certificate request to the CA? Also do we need multiple certificaes for a two-node cluster?

 

Is there any documentation about the requirements for SSL certs?

 

Thanks for your help in answering the question.

2 REPLIES 2

GidonMarcus
4,758 Views

Hi

 

i'll share a bit from my internal DOC... haven't tested it recently, and i think it can be a bit more optimised from the current steps, use on your own risk:

 

"Server Authentication Certificate" is the right Microsoft CA Template. Create it with exportable key, SHA1, 2048 bit or larger key size.

After it saved by the MS enrolment process. Export the cert witht the key from the personal store MMC, convert using openSSL for windows package or on Linux device with the following commands (Do NOT use public websites) :

 

openssl pkcs12 -in filename.pfx -nocerts -out Temp_Private_File.pem 
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out Public_Key_Cert.pem
openssl rsa -in Temp_Private_File.pem -out Private_Key_Cert.key

 

 

Export the chain as base 64, and open in notepad.

Set for the certs in cluster using the following command and follow the wizard, paste each certificate when prompted : 

security certificate install -type server

Show the Certs

security certificate show

Set the cert on the SVM or the Cluster SVM

ssl modify -vserver <vserver> -ca L<taken from above> -serial <taken from above>

To delete a certificate. First make sure it's not in use in “ssl show”, find the certificate s/n in “security certificate show”, now use the s/n to delete using the following:

 

security certificate delete -serial <cert serial> *

Good luck

Let me know if it worked please.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

52DevOps
4,706 Views

Thanks Gidon

 

Those steps did help in answering a nagging question about the template.

 

However, I did not use openssl for the conversion. Using certreq I was able to request the certificate in base64 and load it onto our filer.

 

Also used certutil -dump command to analyze the self-signed certificate which is compliant with ISIS-MTT version 1.1 and thus it kept showing "Certificate Signing, Off-line CRL Signing, CRL Signing" under key usage.

Public