Categories

NetApp Renew Expiring SVM Certificates

You are here:
< All Topics

The following in a subset of the article How to renew an SSL certificate in clustered Data ONTAP. Click if you want to view the full article or how to perform the procedure on 8.1 Clustered ONTAP system.

By default, when you create a new SVM, the certificate is set to expire after 365 days. Perform the following to set an expiration of 10 years.

These steps are for ONTAP 8.2+ ONLY

  1. Check cert Status
    cluster01::> security certificate show
    Vserver    Serial Number   Common Name                            Type
    ---------- --------------- -------------------------------------- ------------
    vs01       53E2215843CA1   vs01                                   server
        Certificate Authority: vs01
              Expiration Date: Thu Oct 05 14:09:54 2017
    
    vs02       53ED4B282A107   vs02                                   server
        Certificate Authority: vs02
              Expiration Date: Sat Oct 14 11:15:32 2017
    
    vs03       539C0850694DE   vs03                                   server
        Certificate Authority: vs03
              Expiration Date: Thu Aug 10 20:05:12 2017
    
    cluster01  51C2BDEB1A737   cluster01                              server
        Certificate Authority: cluster01
              Expiration Date: Sat Jul 30 09:33:49 2016
    
    4 entries were displayed.
  2. Check which cert is used by SSL
    cluster01::> ssl show
      (security ssl show)
              Serial                                         Server  Client
    Vserver   Number Common Name                             Enabled Enabled
    --------- ------ --------------------------------------- ------- -------
    vs01      53E2215843CA1 vs01                             true    false
     Certificate Authority: vs01
    
    vs02      53ED4B282A107 vs02                             true    false
     Certificate Authority: vs02
    
    vs03      539C0850694DE vs03                             true    false
     Certificate Authority: vs03
    
    cluster01 51C2BDEB1A737 cluster01                        true    false
     Certificate Authority: cluster01
    
    4 entries were displayed.
    
  3. Delete the expired certificate(s)
    cluster01::> security certificate delete -vserver cluster01 -common-name cluster01 -ca cluster01 -type server -serial 51C2BDEB1A737 
    
    Warning: Deleting the server certificate disables the SSL server authentication as well as client authentication. To enable server authentication,
             run "security ssl modify -server-enabled true -vserver cluster01 -common-name <common name> -serial <serial number> -ca <CA>". To enable
             client authentication, run "security ssl modify -vserver cluster01 -client-enabled true". Use the "security ssl show -vserver cluster01
             -instance" command to view the SSL configuration status for server and client authentication.
    
    Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
    Do you want to continue? {y|n}: y
    
  4. Create a new cert with 10 year expiration
    cluster01::> security certificate create -vserver cluster01 -common-name cluster01 -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256 
    
  5. Check the cert
    cluster01::> security certificate show
    Vserver    Serial Number   Common Name                            Type
    ---------- --------------- -------------------------------------- ------------
    vs01       53E2215843CA1   vs01                                   server
        Certificate Authority: vs01
              Expiration Date: Thu Oct 05 14:09:54 2017
    
    vs02       53ED4B282A107   vs02                                   server
        Certificate Authority: vs02
              Expiration Date: Sat Oct 14 11:15:32 2017
    
    vs03       539C0850694DE   vs03                                   server
        Certificate Authority: vs03
              Expiration Date: Thu Aug 10 20:05:12 2017
    
    cluster01  054647513DA162  cluster01                              server
        Certificate Authority: cluster01
              Expiration Date: Fri Jan 15 04:56:43 2027
    
    4 entries were displayed.   
    • Even after creating the certificate, SSL services will be disabled and you will not able to access any services using HTTPs
      cluster01::> ssl show 
        (security ssl show)
                Serial                                         Server  Client
      Vserver   Number Common Name                             Enabled Enabled
      --------- ------ --------------------------------------- ------- -------
      vs01      53E2215843CA1 vs01                             true    false
       Certificate Authority: vs01
      
      vs02      53ED4B282A107 vs02                             true    false
       Certificate Authority: vs02
      
      vs03      539C0850694DE vs03                             true    false
       Certificate Authority: vs03
      
      cluster01 -      -                                       false   false
       Certificate Authority: -
      
      4 entries were displayed.
  6. Enable SSL since SSL is disabled after delete/create
    cluster01::> ssl modify -vserver cluster01 -server-enabled true -client-enabled false -common-name cluster01 -ca cluster01 -serial 054647513DA162 
      (security ssl modify)
    
    Warning: The certificate cluster01 is a self-signed certificate, which offers no verification of identity by client machines.  This presents the
             risk of man-in-the-middle attacks by malicious third-parties.
    Do you want to continue? {y|n}: y
  7. Verify SSL
    cluster01::> ssl show 
      (security ssl show)
              Serial                                         Server  Client
    Vserver   Number Common Name                             Enabled Enabled
    --------- ------ --------------------------------------- ------- -------
    vs01      53E2215843CA1 vs01                             true    false
     Certificate Authority: vs01
    
    vs02      53ED4B282A107 vs02                             true    false
     Certificate Authority: vs02
    
    vs03      539C0850694DE vs03                             true    false
     Certificate Authority: vs03
    
    cluster01 054647513DA162 cluster01                       true    false
     Certificate Authority: cluster01
    
    4 entries were displayed.

Repeat these steps for all expired SVM certificates in the cluster.

Table of Contents