ONTAP Discussions

SSL Cert installation Question

xsoldier
3,410 Views

Hi, 

   I'm working on setting up PKI for the cluster. I have successfully installed the certificate, but I don't see the proper cert on the browser. and when I ran "security ssl show" I don't see the certificate installed there. 

 

below is what I have done so far: 

1. Ran "security certificate generate-csr ......." to generate a cert request and a private key

2. I pasted the content of step 1 to create a servername.csr file. 

3. On my windows 10 laptop, I ran "certreq -submit -attrib [ ]" to get a CA signed certificate 

4. I ran "security certificate install -vserver [cluster name] -type client

              I got the successful message 

              The certificate shows in the "security certificate show" 

However, I don't see the cert in "security ssl show" nor on the web browser.

 

Any advice would be appreciated. thank you

5 REPLIES 5

TMACMD
3,395 Views

I do something like this:

set diag

security certificate show -type server -fields vserver,ca,common-name,serial,expiration -sort-by expiration

security certificate delete -type server -vserver xx -serial xx -ca xx -common-name xx

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true

 

So, find your server certs. Delete the one(s) you no longer need. Assign the one you want to the vserver and enable server

xsoldier
3,391 Views

HI TMAC_CTG, 

   Am I supposed to see the certificate I just installed in "security ssl show" output ? I don't see the cert I just installed there. That's my main concern now. But the certificate in output of  "security certificate show" seems to be fine and exist.

 

   Not sure if I have done anything wrong in the steps I posted. 

 

thank you  

TMACMD
3,382 Views

After the certificate is installed (make sure it is installed to the correct vserver) you need to apply it to the ssl server, hence the ssl modify command

 

 it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion

 

xsoldier
3,377 Views

Thanks for the reply. 

 

If the certificate is for the cluster, NOT for vserver, will it actually be in the SSL? Someone just told me it wouldn't. So maybe I have been misunderstanding that. 

 

I however do see an expired cert that reflects in the browser. Would removing the expired cert cause inaccessible issue? I'm a bit hesitated to just remove the expired cert. May wanna consult further for the cert deletion.  

 

//it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion

Totally agreed. 

TMACMD
3,332 Views

The admin SVM *is* a vserver which *is* the cluster (SVM or vserver)

 

Once you delete the expired cert, yes, the browser will be inaccessible,

Deleting the expired cert will effectively flip the -server-enabled option to false.

 

So, like I said in my first post:

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true

 

 

Public