How to renew an SSL certificate in clustered Data ONTAP

Perform the following steps:

  1. Check the current certificate status. Enter the privilege mode:
    cm2244a-cn::> set -privilege advanced
    cm2244a-cn::*> security certificate show
    Note: In clustered Data ONTAP 8.2 and 8.3, this command is available in the admin level. The CLI output will also provide the serial number in clustered Data ONTAP 8.2 and 8.3.

    Vserver    Common Name                      Authority        Protocol Service
    ---------- -------------------------------- ---------------- -------- -------
    cifs       cifs.cert                        Self-Signed      SSL      server
    Expiration Date: Sat Aug 23 07:18:31 2013
    cifs_vs    13.cert.1377240681               Self-Signed      SSL      server
    Expiration Date: Sat Aug 23 06:51:21 2013
    cm2244a-cn cm2244a-cn.cert                  Self-Signed      SSL      server
    Expiration Date: Wed Aug 27 08:37:29 2013
    cm2244n1-cn
    cm2244a-cn-01.cert               Self-Signed      SSL      server
    Expiration Date: Fri Jan 10 01:45:31 2013
    cm2244n2-cn
    cm2244n2-cn.cert                 Self-Signed      SSL      server
    Expiration Date: Thu Feb 27 14:16:49 2013

  2. Check which certificate is currently being used by SSL.
    cm2244a-cn::> security ssl show
    Vserver        Enabled SSL Certificate Name
    -------------- ------- -------------------------
    cifs              true    cifs.cert
    cifs_vs        true    13.cert.1377240681
    cm2244a-cn     true    cm2244a-cn.cert
    cm2244n1-cn    true    cm2244a-cn-01.cert
    cm2244n2-cn    true    cm2244n2-cn.cert
    ictest         true    ictest.cert
    tcs            true    tcs.cert
    vsSAN          true    vsSAN.cert
    vs_cifs        true    vs2.cert
    vs_iscsi       true    10.cert.1372948150
    vs_nfs         true    8.cert.1367222483
  3. To renew the certificate, delete the existing one and create a new certificate with a longer expiration date. Before deleting the certificate, check the details of the existing certificate, which will help to enter the necessary parameters while creating the new certificate.
  4. Suppose you want to renew the certificate cm2244a-cn.cert, which is used by the cluster, run:
    cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn -common-name cm2244a-cn.cert
    Vserver: cm2244a-cn
    FQDN or Custom Common Name: cm2244a-cn.cert
    Size of Requested Certificate(bits): 2048

    Certificate Start Date: Tue Aug 27 08:37:29 2012
    Certificate Expiration Date: Wed Aug 27 08:37:29 2013
    Public Key Certificate: -----BEGIN CERTIFICATE-----
    MIIDcjCCAlqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy
    NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ
    MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA4Mjcw
    ODM3MjlaFw0xNDA4MjcwODM3MjlaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy
    dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx
    CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEA3PEMyBt4AwKPekmsCmkhGJ9Z53BEZHlwK4ZmLrh2HFVAQIge

                                          I3dpBgMKKJFHuT3xihDzK3SOBDe6ntNUu4AKyaElIR7oluFIPjL5x6Dv0u6DIJZB
                                          FCjOT8BaSXoyfiDbhkYWtpaTD7WNLXCri/FOCZlCqM/IDUC26I5zyXGsS/tlR7cD
                                          xehm1dgyhO+W4RBT9pe0PiK6tOAWHBgtUlmsT8Lw6snmc04XkDG9t4ngaPTjh8CI
                                          m59DzRDeiavCDIzpph66PxvJMW4AQ8DbX+MitIotnXCS/N9cDMZBESw0okvsKtaD
                                          6QHa6e9hzY2iF8u0D6Sz9aeFPaeB6UWSXMPEFwIDAQABoy8wLTAMBgNVHRMBAf8E
                                          AjAAMB0GA1UdDgQWBBQLzWaEqrJPDdABSfUpqYXr/RG3MTANBgkqhkiG9w0BAQsF
                                          AAOCAQEABsbfubJz9rmvJ6CFk5oxx+xNuM03yWu2MOlBe7rJJZh5K9SsXFChrRsD
                                          cKriJxXbWZ7VrImwqsvvBb/7f/zD7VW13/ZHVdIevoPsWwdx9oFQbiUQ2JlvNkoq
                                          j+o/cff7G142GqlP9DNxACUtLKB5+t+LCRGSqHGaQusAMsYQTMri3ktricxnaNKC
                                          xIdnFoGb1HgvqpVPkBabQst8HDv0lJ3DIDUwMIjOFDhpO47nyUaGbO+COgXT4f1g
                                          eeM4HbkoMPSK88uK0mvQcJ83R1953tkiFvpqnwbbmIfpWJ3YQ9ENAin4BnJk2Sum
                                          hiUKSYG+1E2p1gLF3yblxUf3/zKRaw==
    -----END CERTIFICATE-----
            Country Name (2 letter code): US

      State or Province Name (full name):
               Locality Name (e.g. city):
        Organization Name (e.g. company):
        Organization Unit (e.g. section):
            Email Address (Contact Name):
                   Certificate Authority: Self-Signed
                                Protocol: SSL
                         Type of Service: server
                        Hashing Function: SHA256

  5. Delete the expired certificate
    Clustered Data ONTAP 8.1:
    cm2244a-cn::*> security certificate delete -vserver cm2244a-cn -common-name cm2244a-cn.cert

    Clustered Data ONTAP 8.2:
    cm6240c-cluster::> security certificate delete -common-name christoh-svm1.cert -ca christoh-svm1.cert -type server -vserver christoh-svm1 -serial 5514941E Warning: Deleting a server certificate will also delete the corresponding
    server-chain certificate, if one exists.
    Do you want to continue? {y|n}:

Important Note: As soon you delete the certificate, the SSL service will be disabled.

cm2244a-cn::*> ssl show

(security ssl show)
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs           true    cifs.cert
cifs_vs        true    13.cert.1377240681

cm2244a-cn     false   -
cm2244n1-cn    true    cm2244a-cn-01.cert
cm2244n2-cn    true    cm2244n2-cn.cert
ictest         true    ictest.cert
tcs            true    tcs.cert
vsSAN          true    vsSAN.cert
vs_cifs        true    vs2.cert
vs_iscsi       true    10.cert.1372948150
vs_nfs         true    8.cert.1367222483

  1. Create a new certificate with a longer expiration period

    Clustered Data ONTAP 8.1:
    cm2244a-cn::*> security certificate create -vserver cm2244a-cn -common-name cm2244a-cn.cert -size 2048 -country US -state "" -locality "" -organization "" -unit "" -email-addr "" -expire-days 3650 -hash-function SHA256

    Clustered Data ONTAP 8.2:
    cm6240c-cluster::> security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

  2. Check the newly created certificate
    cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn -common-name cm2244a-cn.cert                                                                                                                                         Vserver: cm2244a-cn
          FQDN or Custom Common Name: cm2244a-cn.cert
 Size of Requested Certificate(bits): 2048
              Certificate Start Date: Mon Sep 02 21:10:05 2013
         Certificate Expiration Date: Thu Aug 31 21:10:05 2023
              Public Key Certificate: -----BEGIN CERTIFICATE-----
                                      MIIDcjCCAlqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy
                                      NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ
                                      MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA5MDIy
                                      MTEwMDVaFw0yMzA4MzEyMTEwMDVaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy
                                      dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx
                                      CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC
                                      AQ8AMIIBCgKCAQEAsOYe1W/1nE/H1q7QeZWrqlghBLrUy49i0eYVu7h/5RspH3iZ
                                      nxEOG7aKu0B1RYjc8VlFcDa9OhlzBD7cePjsAyrGUZPyJNsRXJkigBTcGsWNdetw
                                      UeU3ZHKQJ7Gl/n02ku/tjT+GW7hXs0McsvQ3snWfVnDS6XvCJtE5IWkY3Vm2vYia
                                      l0YSYNGQ3UDlUV1zor9bUK5ZLpitHdP26nZWmGiI7nK/vN3SkH+D69i+LeBGGyK/
                                      XmfA2/c2IKVUpaqDlhtOUrZmravr4/M8vy+Ah5pHD0qcdVq4FBJ5GsdIPWU8QalA
                                      JZT1MFWUklqLlpXM0yeLI2DR+8FtEC9hkeiURQIDAQABoy8wLTAMBgNVHRMBAf8E
                                      AjAAMB0GA1UdDgQWBBRELU34ycRP2gtYLTnISM+QOjILUzANBgkqhkiG9w0BAQsF
                                      AAOCAQEAVqDFm7Nje2YbSiq+x26/aj9qPnGrByF+yLdn0SF1VevJvahEM46yCFsF
                                      Wk62KxGCWEoRBwsAxZMlp7SnEiU8o+nhhB9nLBhQgE0cHavCezy2t/rugqjWC/b5
                                      eBKFjbH6pXP+Sjo3jEQktgRWd9fBVH/d+YsapU73K/IypgZuKrnSqobSk/SM7dPc
                                      J/qEDYI3GgUDfcML4arGYnRoDl87mD6UpEm9CR/ldOe/Qie1yLtKkHJIR9oc0+XD
                                      zrU7eM9riy44FsQM9oXcHgZ08G2E83r/6DyNyqGa5uSWzbCnKfxyHVrN3iVhLw7n
                                      CWPAB8Q25182e4eMLg8CrntOjyS0sQ==
                                      -----END CERTIFICATE-----
        Country Name (2 letter code): US
 State or Province Name (full name):
           Locality Name (e.g. city):
    Organization Name (e.g. company):
    Organization Unit (e.g. section):
        Email Address (Contact Name):
               Certificate Authority: Self-Signed
                            Protocol: SSL
                     Type of Service: server
                    Hashing Function: SHA256
  1. Even after creating the certificate, SSL services will be disabled and you will not able to access any services using HTTPs.
    Data ONTAP 8.1:
    cm2244a-cn::*> ssl show
 (security ssl show)
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs           true    cifs.cert
cifs_vs        true    13.cert.1377240681
cm2244a-cn     false   -
cm2244n1-cn    true    cm2244a-cn-01.cert
cm2244n2-cn    true    cm2244n2-cn.cert
ictest         true    ictest.cert
tcs            true    tcs.cert
vsSAN          true    vsSAN.cert
vs_cifs        true    vs2.cert
vs_iscsi       true    10.cert.1372948150
vs_nfs         true    8.cert.1367222483

Data ONTAP 8.2:
cm6240c-cluster::> ssl show
(security ssl show)
Serial                              Server       Client
Vserver             Number     Common Name              Enabled      Enabled
---------           -------    -------------           ----------   ---------
SCVserver           5527B24F   SCVserver.cert           false        false
Certificate Authority: SCVserver.cert 

SRA                 552BA58D   SRA.cert                 true         false
Certificate Authority: SRA.cert

christoh-svm1       55348AB0   christoh-svm1            true         false
Certificate Authority: christoh-svm1

cm6240c-cluster     54F7D5D8   cm6240c-cluster.cert     true         false
Certificate Authority: cm6240c-rtp2-cluster.cert

cm6240c-cluster-01  54F7D5D7   cm6240c-cluster-01.cert  true         false
Certificate Authority: cm6240c-rtp2-cluster-01.cert

cm6240c-cluster-02  54F7D870   cm6240c-cluster-02.cert  true         false
Certificate Authority: cm6240c-rtp2-cluster-02.cert

  1. Enable SSL after creating the new certificate

    Data ONTAP 8.1:
    cm2244a-cn::*> ssl modify -vserver cm2244a-cn -enabled true -certificate cm2244a-cn.cert

    (security ssl modify)
    Warning: The certificate cm2244a-cn.cert is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
    Do you want to continue? {y|n}: y

    Data ONTAP 8.2 and 8.3:

    cm6240c-cluster::> ssl modify -vserver christoh-svm1 -server-enabled true
    (security ssl modify)

    Note: If you are enabling SSL on a manually created certificate that is having a name different from the vserver name, the command has to be specific to the certificate.

    security ssl modify -vserver <vserver_name> -server-enabled true -ca <certificate_authority> -client-enabled false -serial <serial_number> -common-name <common_name>

    For example:
    akv-cl1::*> security ssl modify -vserver test_cert -server-enabled true -ca test_cert -client-enabled false -serial 535371EBE64C3 -common-name test_cert

    Warning: The certificate christoh-svm1.cert is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
    Do you want to continue? {y|n}: y

  1. Verify the SSL service
    cm2244a-cn::*> ssl show
 (security ssl show)
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs           true    cifs.cert
cifs_vs        true    13.cert.1377240681
cm2244a-cn     true    cm2244a-cn.cert
cm2244n1-cn    true    cm2244a-cn-01.cert
cm2244n2-cn    true    cm2244n2-cn.cert
ictest         true    ictest.cert
tcs            true    tcs.cert
vsSAN          true    vsSAN.cert
vs_cifs        true    vs2.cert
vs_iscsi       true    10.cert.1372948150
vs_nfs         true    8.cert.1367222483

Clustered Data ONTAP 8.2 and 8.3:
cm6240c-cluster::> ssl show
(security ssl show)
Serial                                   Server     Client
Vserver                  Number     Common Name                   Enabled    Enabled
---------                ------     ---------------               --------   ---------
SCVserver                5527B24F   SCVserver.cert                true       false
Certificate Authority: SCVserver.cert 

SRA                      552BA58D   SRA.cert                      true       false
Certificate Authority: SRA.cert

christoh-svm1            55348AB0   christoh-svm1                 true       false
Certificate Authority: christoh-svm1

cm6240c-cluster          54F7D5D8   cm6240c-cluster.cert          true       false
Certificate Authority: cm6240c-rtp2-cluster.cert

cm6240c-cluster-01       54F7D5D7   cm6240c-cluster-01.cert       true       false
Certificate Authority: cm6240c-rtp2-cluster-01.cert

cm6240c-cluster-02       54F7D870   cm6240c-cluster-02.cert       true       false
Certificate Authority: cm6240c-rtp2-cluster-02.cert

The procedure is the same for other SSL certificates used by any Vserver.

 

twitterlinkedinmailtwitterlinkedinmail
Arco

About

View all posts by