ONTAP Discussions
ONTAP Discussions
Hi,
I'm working on setting up PKI for the cluster. I have successfully installed the certificate, but I don't see the proper cert on the browser. and when I ran "security ssl show" I don't see the certificate installed there.
below is what I have done so far:
1. Ran "security certificate generate-csr ......." to generate a cert request and a private key
2. I pasted the content of step 1 to create a servername.csr file.
3. On my windows 10 laptop, I ran "certreq -submit -attrib [ ]" to get a CA signed certificate
4. I ran "security certificate install -vserver [cluster name] -type client
I got the successful message
The certificate shows in the "security certificate show"
However, I don't see the cert in "security ssl show" nor on the web browser.
Any advice would be appreciated. thank you
I do something like this:
set diag
security certificate show -type server -fields vserver,ca,common-name,serial,expiration -sort-by expiration
security certificate delete -type server -vserver xx -serial xx -ca xx -common-name xx
security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true
So, find your server certs. Delete the one(s) you no longer need. Assign the one you want to the vserver and enable server
HI TMAC_CTG,
Am I supposed to see the certificate I just installed in "security ssl show" output ? I don't see the cert I just installed there. That's my main concern now. But the certificate in output of "security certificate show" seems to be fine and exist.
Not sure if I have done anything wrong in the steps I posted.
thank you
After the certificate is installed (make sure it is installed to the correct vserver) you need to apply it to the ssl server, hence the ssl modify command
it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion
Thanks for the reply.
If the certificate is for the cluster, NOT for vserver, will it actually be in the SSL? Someone just told me it wouldn't. So maybe I have been misunderstanding that.
I however do see an expired cert that reflects in the browser. Would removing the expired cert cause inaccessible issue? I'm a bit hesitated to just remove the expired cert. May wanna consult further for the cert deletion.
//it is best to remove all unwanted/unneeded server certificates in a svm to avoid confusion
Totally agreed.
The admin SVM *is* a vserver which *is* the cluster (SVM or vserver)
Once you delete the expired cert, yes, the browser will be inaccessible,
Deleting the expired cert will effectively flip the -server-enabled option to false.
So, like I said in my first post:
security ssl modify -vserver xx -serial zz -ca zz -common-name xx -server-enabled true