ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

SSL Cert installation Question

xsoldier
‎2020-08-26 03:10 AM
2,807 Views

Hi, 

   I'm working on setting up PKI for the cluster. I have successfully installed the certificate, but I don't see the proper cert on the browser. and when I ran "security ssl show" I don't see the certificate installed there. 

 

below is what I have done so far: 

1. Ran "security certificate generate-csr ......." to generate a cert request and a private key

2. I pasted the content of step 1 to create a servername.csr file. 

3. On my windows 10 laptop, I ran "certreq -submit -attrib [ ]" to get a CA signed certificate 

4. I ran "security certificate install -vserver [cluster name] -type client

              I got the successful message 

              The certificate shows in the "security certificate show" 

However, I don't see the cert in "security ssl show" nor on the web browser.

 

Any advice would be appreciated. thank you

0 Kudos
5 REPLIES 5

TMACMD
NetApp A-Team
‎2020-08-26 04:05 AM
2,792 Views

I do something like this:

set diag

security certificate show -type server -fields vserver,ca,common-name,serial,expiration -sort-by expiration

security certificate delete -type server -vserver xx -serial xx -ca xx -common-name xx

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true

 

So, find your server certs. Delete the one(s) you no longer need. Assign the one you want to the vserver and enable server

0 Kudos

xsoldier
‎2020-08-26 04:15 AM
In response to TMACMD
2,788 Views

HI TMAC_CTG, 

   Am I supposed to see the certificate I just installed in "security ssl show" output ? I don't see the cert I just installed there. That's my main concern now. But the certificate in output of  "security certificate show" seems to be fine and exist.

 

   Not sure if I have done anything wrong in the steps I posted. 

 

thank you  

0 Kudos

TMACMD
NetApp A-Team
‎2020-08-26 04:53 AM
In response to xsoldier
2,779 Views

After the certificate is installed (make sure it is installed to the correct vserver) you need to apply it to the ssl server, hence the ssl modify command

 

 it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion

 

0 Kudos

xsoldier
‎2020-08-26 05:27 AM
In response to TMACMD
2,774 Views

Thanks for the reply. 

 

If the certificate is for the cluster, NOT for vserver, will it actually be in the SSL? Someone just told me it wouldn't. So maybe I have been misunderstanding that. 

 

I however do see an expired cert that reflects in the browser. Would removing the expired cert cause inaccessible issue? I'm a bit hesitated to just remove the expired cert. May wanna consult further for the cert deletion.  

 

//it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion

Totally agreed. 

0 Kudos

TMACMD
NetApp A-Team
‎2020-08-26 07:50 AM
In response to xsoldier
2,729 Views

The admin SVM *is* a vserver which *is* the cluster (SVM or vserver)

 

Once you delete the expired cert, yes, the browser will be inaccessible,

Deleting the expired cert will effectively flip the -server-enabled option to false.

 

So, like I said in my first post:

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true

 

 

0 Kudos
All Community Forums
Public