Hey Josef,
not sure if there's a cert package you can install using this command, but the basic security certificate install works with standard PEM encoded data, f.ex. here's the command I used to install the new DigiCert CA on our filers with older Ontap releases where DigiCert was not included in Ontap already.
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
You should keep a copy of the CA-signed digital certificate for future reference.
As always, running on a recent Ontap version usually fixes these kind of problems, since the root certificates also get updated along with newer Ontap releases.
Best,
Alexander Griesser
Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.com
Web:
http://www.anexia-it.com Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
-----Ursprüngliche Nachricht-----
Von: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> Im Auftrag von cheese@nosuchhost.net
Gesendet: Freitag, 14. Juni 2019 07:45
An: Douglas Siggins <siggins@gmail.com>
Cc: Toasters <toasters@teaparty.net>
Betreff: Re: server-ca certs expiring
you sir are my hero!
"install" instead of "create" should be the correct way to handle that situation. now i only need to get the currently valid cert-package from netapp.
thanks
josef
On Thu, 13 Jun 2019, Douglas Siggins wrote:
> Does this not answer your question?
> security certificate install Data ONTAP 9.1 security certificate
> install
>
> NAME
> security certificate install -- Install a Digital Certificate
>
> AVAILABILITY
> This command is available to cluster and Vserver administrators at the admin privilege level.
>
> DESCRIPTION
> The security certificate install command installs digital
> security certificates signed by a certificate authority (CA) and the
> public key certificate of the root CA. Digital security certifi-
> cates also include the intermediate certificates to construct the
> chain for server certificates (the server type), client-side root CA
> certificates (the client-ca type), or server-side root CA
> certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client:
> Hash function (No MD-5, No SHA-1),server-ca/client-ca:
> (Intermediate CA), Hash Function (No MD-5, No SHA-1),
> server-ca/client-ca: (Root CA), Hash Function (No MD-5)
>
>
>
>
> On Thu, Jun 13, 2019 at 1:05 PM tmac <tmacmd@gmail.com> wrote:
> Just for kicks, I looked at ONTAP 9.5 & 9.6.The same certs exist there also!
>
> Maybe open a case with netapp to update or remove the certs in ONTAP itself?
>
> --tmac
> Tim McCarthy, Principal Consultant
>
> Proud Member of the #NetAppATeam
>
>
>
>
> On Thu, Jun 13, 2019 at 5:17 AM <cheese@nosuchhost.net> wrote:
> Thanks for answering
> your steps would work for self signed certificates, but whose expiring
> in my case are the ca's from other organisations, installed from netapp.
>
> currently i have 3 of the expiring in the near future:
> L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019"
> Vserver Serial Number Common Name Type
> ---------- --------------- -------------------------------------- ------------
> L1Q 85BD4BF3D8DAE369F694D75FC3A54423
> Class2PrimaryCA server-ca
> Certificate Authority: Class 2 Primary CA
> Expiration Date: Sun Jul 07 01:59:59 2019
>
> L1Q 26 DeutscheTelekomRootCA2 server-ca
> Certificate Authority: Deutsche Telekom Root CA 2
> Expiration Date: Wed Jul 10 01:59:00 2019
>
> L1Q 44BE0C8B500024B411D3362AFE650AFD
> UTN-USERFirst-Hardware server-ca
> Certificate Authority: UTN-USERFirst-Hardware
> Expiration Date: Tue Jul 09 20:19:22 2019
>
> 3 entries were displayed.
>
>
> as far as i see those certs are used when my netapp tries to connect
> itself to ssl-enabled services with certs signed from that CAs. may i
> should only delete them to get rid of that messages in my eventlog.
>
> yours
> josef (no charles heese here, sorry :))
>
>
> On Wed, 12 Jun 2019, Douglas Siggins wrote:
>
> > Pretty sure we do something like this:
> > 1. security ssl show
> > 2. security certificate show -vserver vserver_name -common-name common_name -instance
> > 3. security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
> > 4. security certificate create -vserver vserver_name -type server -size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
> > 5. security ssl show
> > 6. security certificate show -vserver vserver_name -common-name common_name -instance
> > 7. ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number
> > 8.
> >
> > security certificate show
> >
> > 9.
> >
> > security ssl show
> >
> >
> > On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <jordan.slingerland@gmail.com> wrote:
> > I was hoping to see this email signed Charles Heese or something. That would have made my morning.
> >
> > On Wed, Jun 12, 2019, 9:52 AM <cheese@nosuchhost.net> wrote:
> > hi
> >
> > i have several systems with ontap 9.3P10 and have messages like:
> > 6/12/2019 00:00:01 L1Q-A1 ERROR
> > mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified
> > Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
> >
> > what should i do here? my netapp partner told me to renew them via
> > deleteing them and creating new certs.
> >
> > i should create a new server-ca, which is not even an option in ontap
> > (even with advanced privileges) ?
> > i think this must be wrong.
> >
> > i hope others have the same problem and a solution.
> >
> > yours
> > josef
> > _______________________________________________
> > Toasters mailing list
> > Toasters@teaparty.net
> > http://www.teaparty.net/mailman/listinfo/toasters
> >
> > _______________________________________________
> > Toasters mailing list
> > Toasters@teaparty.net
> > http://www.teaparty.net/mailman/listinfo/toasters
> >
> >
> >_______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>
>
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters