Solved: Trusted Certificate Authorities - admin - Expired

MooreCE · ‎2025-07-02

In ONTAP 9.13.1, in the Trusted Certificate Authorities, one of them is named "admin." I vaguely understand this to be a built-in cert, but it's expired. The scope is at the cluster level, so I'm wondering what the implications are. Just doing a CSR for a CA-signed cert titled "admin" doesn't seem like best practice; but I was also led to believe that this principle may be tied to some critical components of the NetApp. That may be a misnomer given that the name is "admin" which is also the name of the local account. I could use some clarity on this; I'm a bit new to engineering NetApp.

NOTE: Our NetApp is part of an air-gapped network.

chamfer · ‎2025-07-08

@MooreCE,

From testing the Trusted Certificate Authority "admin" that has the Scope of "Cluster" and Type "Client CA" is created when an ONTAP cluster is connected to NetApp ActiveIQ Unified Manager.

If you do delete it then you just need to through a reissue of certificate from Unified Manager to connect to the NetApp ONTAP array otherwise the ONTAP array will show as not connected in Unified Manager.

This is all within an air-gapped network also.

View solution in original post

chamfer · ‎2025-07-08

@MooreCE,

From testing the Trusted Certificate Authority "admin" that has the Scope of "Cluster" and Type "Client CA" is created when an ONTAP cluster is connected to NetApp ActiveIQ Unified Manager.

If you do delete it then you just need to through a reissue of certificate from Unified Manager to connect to the NetApp ONTAP array otherwise the ONTAP array will show as not connected in Unified Manager.

This is all within an air-gapped network also.

ThorstenP

I got exactly the same problem, but I don't know how to re-issue the AIQUM certificate.

Besides, the AIQUM dashboard comes up with "Cluster discovery failed. Rediscover the cluster after resolving the issue" when started, but anyway the cluster is listed under Settings/Storage Management/Cluster Setup.

Rebooting AIQUM and rediscovering the cluster didn't have any effect.

I also tried the workaround described here:

https://kb.netapp.com/data-mgmt/AIQUM/AIQUM-Issues/CAIQUM-5308

No luck either so I did a rollback.

Getting out of ideas, I'm about to delete the AIQUM VM and reinstall it from scratch, but that might be a waste of time in case the cause of the problem lies somewhere else.

Two event log entries attached. The second one refers to an expired certificate of type server-ca, CA localhost, probably issued by NetApp which I'm also unable to renew. But that might be a completely different story. Or else we've got a general problem here.

We're running AIQUM 9.16 and a 2-node-cluster with ONTAP 9.13.1P6

chamfer

If your mutual TLS certificate between AIQUM has expired you perform the following steps:

In the AIQUM left navigation pane, click Storage Management > Cluster Setup.
On the Cluster Setup page, select the cluster you want to edit, and then click Edit.
In the Edit Cluster dialog box, modify the values as required.
If you have modified the details for a cluster added to Unified Manager, you can view the certificate details for Mutual TLS communication, based on the ONTAP version. For more information about ONTAP version, see Certificates for Mutual TLS communication.
You can view the certificate details by clicking Certificate Details. If the certificate is expired, click the Regenerate button to incorporate the new certificate.
Click Submit.
In the Authorize Host dialog box, click View Certificate to view the certificate information about the cluster.
Click Yes.

Trusted Certificate Authorities - admin - Expired

NetApp Wins ASP Award for 8th year in a row!

Site Operation Hours via NSS

New video on NetApp KB TV

New video on NetApp KB TV

New video on NetApp KB TV