Community maintenance is complete. Thank you for your patience!

ONTAP Discussions

SSL Cert installation Question



   I'm working on setting up PKI for the cluster. I have successfully installed the certificate, but I don't see the proper cert on the browser. and when I ran "security ssl show" I don't see the certificate installed there. 


below is what I have done so far: 

1. Ran "security certificate generate-csr ......." to generate a cert request and a private key

2. I pasted the content of step 1 to create a servername.csr file. 

3. On my windows 10 laptop, I ran "certreq -submit -attrib [ ]" to get a CA signed certificate 

4. I ran "security certificate install -vserver [cluster name] -type client

              I got the successful message 

              The certificate shows in the "security certificate show" 

However, I don't see the cert in "security ssl show" nor on the web browser.


Any advice would be appreciated. thank you



I do something like this:

set diag

security certificate show -type server -fields vserver,ca,common-name,serial,expiration -sort-by expiration

security certificate delete -type server -vserver xx -serial xx -ca xx -common-name xx

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true


So, find your server certs. Delete the one(s) you no longer need. Assign the one you want to the vserver and enable server



   Am I supposed to see the certificate I just installed in "security ssl show" output ? I don't see the cert I just installed there. That's my main concern now. But the certificate in output of  "security certificate show" seems to be fine and exist.


   Not sure if I have done anything wrong in the steps I posted. 


thank you  


After the certificate is installed (make sure it is installed to the correct vserver) you need to apply it to the ssl server, hence the ssl modify command


 it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion



Thanks for the reply. 


If the certificate is for the cluster, NOT for vserver, will it actually be in the SSL? Someone just told me it wouldn't. So maybe I have been misunderstanding that. 


I however do see an expired cert that reflects in the browser. Would removing the expired cert cause inaccessible issue? I'm a bit hesitated to just remove the expired cert. May wanna consult further for the cert deletion.  


//it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion

Totally agreed. 


The admin SVM *is* a vserver which *is* the cluster (SVM or vserver)


Once you delete the expired cert, yes, the browser will be inaccessible,

Deleting the expired cert will effectively flip the -server-enabled option to false.


So, like I said in my first post:

security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true



NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner