ONTAP Discussions

Updating from SHA-1 to SHA-256 SSL certificates


A recent security vulnerability scan showed that a number of my vServers are running SHA-1 hashed SSL keys, and our security folks are working to remediate this by offering SHA-256 hashed keys instead. After generating CSRs and running the certificate requests through our key-generating robot, I now have several of these Base-64 encoded .CER keys on a windows machine, and I'd like to get them installed on the filers (running CDOT 8.2.3). What's the best way to do this?


A couple of notes: I've read this article about renewing SSL certificates, but it's not quite what I'm looking for. That article assumes your certificates have expired, and that's not what I'm running into here. Whole new keys need to be installed for the vservers that have been flagged. If I knew how to extract the text the filer was expecting (i.e., text that starts BEGIN CERTIFICATE and ends END CERTIFICATE) from the FOO.CER file, I'd be happy to do that.





Welp, I've sorta answered my own question. Opening the CER files with notepad will get you text that starts BEGIN CERTIFICATE and ends END CERTIFICATE, which is what the filer wants.


But a more important question: In order to install this new cert, I need to delete the old one. Deleting the old certificate will disable SSL for that vserver. After installing the new cert, I will have to re-enable SSL for that vserver. Will this action disrupt access to storage, however briefly? Or is this something I can do without regard to data being accessed by hosts?