Just for kicks, I looked at ONTAP 9.5 & 9.6.
The same certs exist there also!

Maybe open a case with netapp to update or remove the certs in ONTAP itself?

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam




On Thu, Jun 13, 2019 at 5:17 AM <cheese@nosuchhost.net> wrote:
Thanks for answering
your steps would work for self signed certificates, but whose expiring
in my case are the ca's from other organisations, installed from netapp.

currently i have 3 of the expiring in the near future:
L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019"
Vserver    Serial Number   Common Name                            Type
---------- --------------- -------------------------------------- ------------
L1Q        85BD4BF3D8DAE369F694D75FC3A54423
                            Class2PrimaryCA                        server-ca
     Certificate Authority: Class 2 Primary CA
           Expiration Date: Sun Jul 07 01:59:59 2019

L1Q        26              DeutscheTelekomRootCA2                 server-ca
     Certificate Authority: Deutsche Telekom Root CA 2
           Expiration Date: Wed Jul 10 01:59:00 2019

L1Q        44BE0C8B500024B411D3362AFE650AFD
                            UTN-USERFirst-Hardware                 server-ca
     Certificate Authority: UTN-USERFirst-Hardware
           Expiration Date: Tue Jul 09 20:19:22 2019

3 entries were displayed.


as far as i see those certs are used when my netapp tries to connect
itself to ssl-enabled services with certs signed from that CAs. may i
should only delete them to get rid of that messages in my eventlog.

yours
josef (no charles heese here, sorry :))


On Wed, 12 Jun 2019, Douglas Siggins wrote:

> Pretty sure we do something like this:
>  1. security ssl show
>  2. security certificate show -vserver vserver_name -common-name common_name -instance 
>  3. security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
>  4. security certificate create -vserver vserver_name -type server -size 2048   -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
>  5. security ssl show
>  6. security certificate show -vserver vserver_name -common-name common_name -instance
>  7. ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number
>  8.
>
>     security certificate show
>
>  9.
>
>     security ssl show
>
>
> On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <jordan.slingerland@gmail.com> wrote:
>       I was hoping to see this email signed Charles Heese or something.  That would have made my morning. 
>
> On Wed, Jun 12, 2019, 9:52 AM <cheese@nosuchhost.net> wrote:
>       hi
>
>       i have several systems with ontap 9.3P10 and have messages like:
>       6/12/2019 00:00:01  L1Q-A1           ERROR
>       mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified
>       Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
>
>       what should i do here? my netapp partner told me to renew them via
>       deleteing them and creating new certs.
>
>       i should create a new server-ca, which is not even an option in ontap
>       (even with advanced privileges) ?
>       i think this must be wrong.
>
>       i hope others have the same problem and a solution.
>
>       yours
>       josef
>       _______________________________________________
>       Toasters mailing list
>       Toasters@teaparty.net
>       http://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>
>_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters