How Can We Help?
NetApp Renew Expiring SVM Certificates
The following in a subset of the article How to renew an SSL certificate in clustered Data ONTAP. Click if you want to view the full article or how to perform the procedure on 8.1 Clustered ONTAP system.
By default, when you create a new SVM, the certificate is set to expire after 365 days. Perform the following to set an expiration of 10 years.
These steps are for ONTAP 8.2+ ONLY
- Check cert Status
cluster01::> security certificate show Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ vs01 53E2215843CA1 vs01 server Certificate Authority: vs01 Expiration Date: Thu Oct 05 14:09:54 2017 vs02 53ED4B282A107 vs02 server Certificate Authority: vs02 Expiration Date: Sat Oct 14 11:15:32 2017 vs03 539C0850694DE vs03 server Certificate Authority: vs03 Expiration Date: Thu Aug 10 20:05:12 2017 cluster01 51C2BDEB1A737 cluster01 server Certificate Authority: cluster01 Expiration Date: Sat Jul 30 09:33:49 2016 4 entries were displayed.
- Check which cert is used by SSL
cluster01::> ssl show (security ssl show) Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------------------------------- ------- ------- vs01 53E2215843CA1 vs01 true false Certificate Authority: vs01 vs02 53ED4B282A107 vs02 true false Certificate Authority: vs02 vs03 539C0850694DE vs03 true false Certificate Authority: vs03 cluster01 51C2BDEB1A737 cluster01 true false Certificate Authority: cluster01 4 entries were displayed.
- Delete the expired certificate(s)
cluster01::> security certificate delete -vserver cluster01 -common-name cluster01 -ca cluster01 -type server -serial 51C2BDEB1A737 Warning: Deleting the server certificate disables the SSL server authentication as well as client authentication. To enable server authentication, run "security ssl modify -server-enabled true -vserver cluster01 -common-name <common name> -serial <serial number> -ca <CA>". To enable client authentication, run "security ssl modify -vserver cluster01 -client-enabled true". Use the "security ssl show -vserver cluster01 -instance" command to view the SSL configuration status for server and client authentication. Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists. Do you want to continue? {y|n}: y
- Create a new cert with 10 year expiration
cluster01::> security certificate create -vserver cluster01 -common-name cluster01 -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256
- Check the cert
cluster01::> security certificate show Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ vs01 53E2215843CA1 vs01 server Certificate Authority: vs01 Expiration Date: Thu Oct 05 14:09:54 2017 vs02 53ED4B282A107 vs02 server Certificate Authority: vs02 Expiration Date: Sat Oct 14 11:15:32 2017 vs03 539C0850694DE vs03 server Certificate Authority: vs03 Expiration Date: Thu Aug 10 20:05:12 2017 cluster01 054647513DA162 cluster01 server Certificate Authority: cluster01 Expiration Date: Fri Jan 15 04:56:43 2027 4 entries were displayed.
- Even after creating the certificate, SSL services will be disabled and you will not able to access any services using HTTPs
cluster01::> ssl show (security ssl show) Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------------------------------- ------- ------- vs01 53E2215843CA1 vs01 true false Certificate Authority: vs01 vs02 53ED4B282A107 vs02 true false Certificate Authority: vs02 vs03 539C0850694DE vs03 true false Certificate Authority: vs03 cluster01 - - false false Certificate Authority: - 4 entries were displayed.
- Even after creating the certificate, SSL services will be disabled and you will not able to access any services using HTTPs
- Enable SSL since SSL is disabled after delete/create
cluster01::> ssl modify -vserver cluster01 -server-enabled true -client-enabled false -common-name cluster01 -ca cluster01 -serial 054647513DA162 (security ssl modify) Warning: The certificate cluster01 is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties. Do you want to continue? {y|n}: y
- Verify SSL
cluster01::> ssl show (security ssl show) Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------------------------------- ------- ------- vs01 53E2215843CA1 vs01 true false Certificate Authority: vs01 vs02 53ED4B282A107 vs02 true false Certificate Authority: vs02 vs03 539C0850694DE vs03 true false Certificate Authority: vs03 cluster01 054647513DA162 cluster01 true false Certificate Authority: cluster01 4 entries were displayed.
Repeat these steps for all expired SVM certificates in the cluster.