Does this not answer your question?
security certificate install Data ONTAP 9.1 security certificate install
NAME security certificate install -- Install a Digital Certificate
AVAILABILITY This command is available to cluster and Vserver administrators at the admin privilege level.
DESCRIPTION The security certificate install command installs digital security certificates signed by a certificate authority (CA) and the public key certificate of the root CA. Digital security certifi- cates also include the intermediate certificates to construct the chain for server certificates (the server type), client-side root CA certificates (the client-ca type), or server-side root CA certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client: Hash function (No MD-5, No SHA-1),server-ca/client-ca: (Intermediate CA), Hash Function (No MD-5, No SHA-1), server-ca/client-ca: (Root CA), Hash Function (No MD-5)
On Thu, Jun 13, 2019 at 1:05 PM tmac wrote:
Just for kicks, I looked at ONTAP 9.5 & 9.6. The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam*
On Thu, Jun 13, 2019 at 5:17 AM wrote:
Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type
L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019
L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019
L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019
3 entries were displayed.
as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog.
yours josef (no charles heese here, sorry :))
On Wed, 12 Jun 2019, Douglas Siggins wrote:
Pretty sure we do something like this:
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- security certificate delete
-vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
- security certificate create -vserver vserver_name -type server
-size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- ssl modify -vserver vserver_name -server-enabled true
-client-enabled false -common-name common_name -ca common_name -serial serial_number
security certificate show
security ssl show
On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <> wrote:
I was hoping to see this email signed Charles Heese or
something. That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM wrote: hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with Fully
Domain Name (FQDN) Class2PrimaryCA, Serial Number
85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs. i should create a new server-ca, which is not even an option in
(even with advanced privileges) ? i think this must be wrong. i hope others have the same problem and a solution. yours josef _______________________________________________ Toasters mailing list
Toasters mailing list
Toasters mailing list