you sir are my hero! "install" instead of "create" should be the correct way to handle that situation. now i only need to get the currently valid cert-package from netapp. thanks josef
On Thu, 13 Jun 2019, Douglas Siggins wrote:
Does this not answer your question? security certificate install Data ONTAP 9.1 security certificate install
NAME security certificate install -- Install a Digital Certificate
AVAILABILITY This command is available to cluster and Vserver administrators at the admin privilege level.
DESCRIPTION The security certificate install command installs digital security certificates signed by a certificate authority (CA) and the public key certificate of the root CA. Digital security certifi- cates also include the intermediate certificates to construct the chain for server certificates (the server type), client-side root CA certificates (the client-ca type), or server-side root CA certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client: Hash function (No MD-5, No SHA-1),server-ca/client-ca: (Intermediate CA), Hash Function (No MD-5, No SHA-1), server-ca/client-ca: (Root CA), Hash Function (No MD-5)
On Thu, Jun 13, 2019 at 1:05 PM tmac tmacmd@gmail.com wrote: Just for kicks, I looked at ONTAP 9.5 & 9.6.The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
--tmac Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam
On Thu, Jun 13, 2019 at 5:17 AM cheese@nosuchhost.net wrote: Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019 L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019 L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019 3 entries were displayed. as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog. yours josef (no charles heese here, sorry :)) On Wed, 12 Jun 2019, Douglas Siggins wrote: > Pretty sure we do something like this: > 1. security ssl show > 2. security certificate show -vserver vserver_name -common-name common_name -instance > 3. security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number > 4. security certificate create -vserver vserver_name -type server -size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL > 5. security ssl show > 6. security certificate show -vserver vserver_name -common-name common_name -instance > 7. ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number > 8. > > security certificate show > > 9. > > security ssl show > > > On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <jordan.slingerland@gmail.com> wrote: > I was hoping to see this email signed Charles Heese or something. That would have made my morning. > > On Wed, Jun 12, 2019, 9:52 AM <cheese@nosuchhost.net> wrote: > hi > > i have several systems with ontap 9.3P10 and have messages like: > 6/12/2019 00:00:01 L1Q-A1 ERROR > mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified > Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s). > > what should i do here? my netapp partner told me to renew them via > deleteing them and creating new certs. > > i should create a new server-ca, which is not even an option in ontap > (even with advanced privileges) ? > i think this must be wrong. > > i hope others have the same problem and a solution. > > yours > josef > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > >_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters