NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

Updating from SHA-1 to SHA-256 SSL certificates

SMLocke
4,145 Views

A recent security vulnerability scan showed that a number of my vServers are running SHA-1 hashed SSL keys, and our security folks are working to remediate this by offering SHA-256 hashed keys instead. After generating CSRs and running the certificate requests through our key-generating robot, I now have several of these Base-64 encoded .CER keys on a windows machine, and I'd like to get them installed on the filers (running CDOT 8.2.3). What's the best way to do this?

 

A couple of notes: I've read this article about renewing SSL certificates, but it's not quite what I'm looking for. That article assumes your certificates have expired, and that's not what I'm running into here. Whole new keys need to be installed for the vservers that have been flagged. If I knew how to extract the text the filer was expecting (i.e., text that starts BEGIN CERTIFICATE and ends END CERTIFICATE) from the FOO.CER file, I'd be happy to do that.

 

Thanks!

1 REPLY 1

SMLocke
4,139 Views

Welp, I've sorta answered my own question. Opening the CER files with notepad will get you text that starts BEGIN CERTIFICATE and ends END CERTIFICATE, which is what the filer wants.

 

But a more important question: In order to install this new cert, I need to delete the old one. Deleting the old certificate will disable SSL for that vserver. After installing the new cert, I will have to re-enable SSL for that vserver. Will this action disrupt access to storage, however briefly? Or is this something I can do without regard to data being accessed by hosts?

Public