ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

The questions about the Certificate Truststore in ONTAP?

Terry-xiao
‎2022-07-12 12:49 AM
1,616 Views

Hi expert、

 

The following KB mentioned that "The Truststore Certificates are installed only on the admin SVM during an ONTAP install of 9.2, or during an upgrade to ONTAP 9.2."

 

It also mentioned that the Truststore Certificates are automatically updated as needed as part of every ONTAP release.

Could you please give information what is the action if the Truststore Certificate will expire?

Do we need to upgrade the ontap release to the new one to update the expired one to the latest Certificates ?

 

================
What is the Certificate Truststore in ONTAP?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_Certificate_Truststore_in_ONTAP 

Can we create the Truststore Certificate with a new expiration date?
No, the new certificate must be technically re-issued by the Certificate Authority, and then re-installed. But as mentioned above, the Truststore Certificates are automatically updated as needed as part of every ONTAP release.
================

Thanks and regards
wenhai

0 Kudos
1 ACCEPTED SOLUTION

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2022-07-12 07:30 PM
1,565 Views

Could you please give information what is the action if the Truststore Certificate will expire?

 

Autosupport or other outbound connections to secure services such as SSL mail services may stop working.

 

> Do we need to upgrade the ontap release to the new one to update the expired one to the latest Certificates ?

 

Yes.

 

Hope this helps!

View solution in original post

3 REPLIES 3

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2022-07-12 07:30 PM
1,566 Views

Could you please give information what is the action if the Truststore Certificate will expire?

 

Autosupport or other outbound connections to secure services such as SSL mail services may stop working.

 

> Do we need to upgrade the ontap release to the new one to update the expired one to the latest Certificates ?

 

Yes.

 

Hope this helps!

Terry-xiao
‎2022-07-31 09:33 PM
In response to AlexDawson
1,398 Views

Hi ,thanks very much for update.

 

Regarding "upgrading the ontap release to the new one to update the expired one to the latest Truststore Certificate.

if the system is running version ontap 9.8P5,and update it to the 9.8P12,does the expired one will updaded by ontap version up ? do we need to update the current version to the latest one 9.10.1 to update the certificate?

Also can we perform this version up before any "Truststore Certificate" will expire?

Thanks and regards
Terry

0 Kudos

chamfer
‎2022-07-12 09:30 PM
1,552 Views

Hi Wenhai,

 

Just building on what AlexDawson has provided......

 

There are multiple certificates in the Truststore and they are all root certificates, depending on what service has a dependency on the root certificate would probably stop working when the certificate expires.  You should not have a signed certificate (via CSR) from a root/signing CA with a validity that exceeds the root/signing CA expiration date.

 

AutoSupport uses the "AAACertificateServices" CA which should expire at the end of 2028.  More detail is here https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_will_happen_when_my_Autosupport_Certificate_in_ONTAP_expires%3F

 

 

All Community Forums
Public