hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs.
i should create a new server-ca, which is not even an option in ontap (even with advanced privileges) ? i think this must be wrong.
i hope others have the same problem and a solution.
yours josef
I was hoping to see this email signed Charles Heese or something. That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM cheese@nosuchhost.net wrote:
hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs.
i should create a new server-ca, which is not even an option in ontap (even with advanced privileges) ? i think this must be wrong.
i hope others have the same problem and a solution.
yours josef _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Pretty sure we do something like this:
1. security ssl show 2. security certificate show -vserver *vserver_name* -common-name *common_name* -instance 3. security certificate delete -vserver *vserver_name* -common-name *common_name* -ca *common_name* -type server -serial *serial_number* 4. security certificate create -vserver *vserver_name* -type server -size 2048 -expire-days (days here) -common-name *common_name* -hash-function SHA256 -country US -protocol SSL 5. security ssl show 6. security certificate show -vserver *vserver_name* -common-name *common_name* -instance 7. ssl modify -vserver *vserver_name* -server-enabled true -client-enabled false -common-name *common_name* -ca *common_name* -serial *serial_number* 8.
security certificate show 9.
security ssl show
On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland < jordan.slingerland@gmail.com> wrote:
I was hoping to see this email signed Charles Heese or something. That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM cheese@nosuchhost.net wrote:
hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs.
i should create a new server-ca, which is not even an option in ontap (even with advanced privileges) ? i think this must be wrong.
i hope others have the same problem and a solution.
yours josef _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019
L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019
L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019
3 entries were displayed.
as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog.
yours josef (no charles heese here, sorry :))
On Wed, 12 Jun 2019, Douglas Siggins wrote:
Pretty sure we do something like this:
security ssl show
security certificate show -vserver vserver_name -common-name common_name -instance
security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
security certificate create -vserver vserver_name -type server -size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
security ssl show
security certificate show -vserver vserver_name -common-name common_name -instance
ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number
security certificate show
security ssl show
On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland jordan.slingerland@gmail.com wrote: I was hoping to see this email signed Charles Heese or something. That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM cheese@nosuchhost.net wrote: hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s). what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs. i should create a new server-ca, which is not even an option in ontap (even with advanced privileges) ? i think this must be wrong. i hope others have the same problem and a solution. yours josef _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Just for kicks, I looked at ONTAP 9.5 & 9.6. The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
On Thu, Jun 13, 2019 at 5:17 AM cheese@nosuchhost.net wrote:
Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type
L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019
L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019
L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019
3 entries were displayed.
as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog.
yours josef (no charles heese here, sorry :))
On Wed, 12 Jun 2019, Douglas Siggins wrote:
Pretty sure we do something like this:
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- security certificate delete
-vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
- security certificate create -vserver vserver_name -type server -size
2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- ssl modify -vserver vserver_name -server-enabled true
-client-enabled false -common-name common_name -ca common_name -serial serial_number
security certificate show
security ssl show
On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <
jordan.slingerland@gmail.com> wrote:
I was hoping to see this email signed Charles Heese or something.That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM cheese@nosuchhost.net wrote: hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with FullyQualified
Domain Name (FQDN) Class2PrimaryCA, Serial Number85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs. i should create a new server-ca, which is not even an option inontap
(even with advanced privileges) ? i think this must be wrong. i hope others have the same problem and a solution. yours josef _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Does this not answer your question?
security certificate install Data ONTAP 9.1 security certificate install
NAME security certificate install -- Install a Digital Certificate
AVAILABILITY This command is available to cluster and Vserver administrators at the admin privilege level.
DESCRIPTION The security certificate install command installs digital security certificates signed by a certificate authority (CA) and the public key certificate of the root CA. Digital security certifi- cates also include the intermediate certificates to construct the chain for server certificates (the server type), client-side root CA certificates (the client-ca type), or server-side root CA certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client: Hash function (No MD-5, No SHA-1),server-ca/client-ca: (Intermediate CA), Hash Function (No MD-5, No SHA-1), server-ca/client-ca: (Root CA), Hash Function (No MD-5)
On Thu, Jun 13, 2019 at 1:05 PM tmac tmacmd@gmail.com wrote:
Just for kicks, I looked at ONTAP 9.5 & 9.6. The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
--tmac
*Tim McCarthy, **Principal Consultant*
*Proud Member of the #NetAppATeam https://twitter.com/NetAppATeam*
On Thu, Jun 13, 2019 at 5:17 AM cheese@nosuchhost.net wrote:
Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type
L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019
L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019
L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019
3 entries were displayed.
as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog.
yours josef (no charles heese here, sorry :))
On Wed, 12 Jun 2019, Douglas Siggins wrote:
Pretty sure we do something like this:
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- security certificate delete
-vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number
- security certificate create -vserver vserver_name -type server
-size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL
- security ssl show
- security certificate show
-vserver vserver_name -common-name common_name -instance
- ssl modify -vserver vserver_name -server-enabled true
-client-enabled false -common-name common_name -ca common_name -serial serial_number
security certificate show
security ssl show
On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <
jordan.slingerland@gmail.com> wrote:
I was hoping to see this email signed Charles Heese orsomething. That would have made my morning.
On Wed, Jun 12, 2019, 9:52 AM cheese@nosuchhost.net wrote: hi
i have several systems with ontap 9.3P10 and have messages like: 6/12/2019 00:00:01 L1Q-A1 ERROR mgmtgwd.certificate.expiring: A digital certificate with FullyQualified
Domain Name (FQDN) Class2PrimaryCA, Serial Number85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s).
what should i do here? my netapp partner told me to renew them via deleteing them and creating new certs. i should create a new server-ca, which is not even an option inontap
(even with advanced privileges) ? i think this must be wrong. i hope others have the same problem and a solution. yours josef _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
you sir are my hero! "install" instead of "create" should be the correct way to handle that situation. now i only need to get the currently valid cert-package from netapp. thanks josef
On Thu, 13 Jun 2019, Douglas Siggins wrote:
Does this not answer your question? security certificate install Data ONTAP 9.1 security certificate install
NAME security certificate install -- Install a Digital Certificate
AVAILABILITY This command is available to cluster and Vserver administrators at the admin privilege level.
DESCRIPTION The security certificate install command installs digital security certificates signed by a certificate authority (CA) and the public key certificate of the root CA. Digital security certifi- cates also include the intermediate certificates to construct the chain for server certificates (the server type), client-side root CA certificates (the client-ca type), or server-side root CA certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client: Hash function (No MD-5, No SHA-1),server-ca/client-ca: (Intermediate CA), Hash Function (No MD-5, No SHA-1), server-ca/client-ca: (Root CA), Hash Function (No MD-5)
On Thu, Jun 13, 2019 at 1:05 PM tmac tmacmd@gmail.com wrote: Just for kicks, I looked at ONTAP 9.5 & 9.6.The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
--tmac Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam
On Thu, Jun 13, 2019 at 5:17 AM cheese@nosuchhost.net wrote: Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019 L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019 L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019 3 entries were displayed. as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog. yours josef (no charles heese here, sorry :)) On Wed, 12 Jun 2019, Douglas Siggins wrote: > Pretty sure we do something like this: > 1. security ssl show > 2. security certificate show -vserver vserver_name -common-name common_name -instance > 3. security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number > 4. security certificate create -vserver vserver_name -type server -size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL > 5. security ssl show > 6. security certificate show -vserver vserver_name -common-name common_name -instance > 7. ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number > 8. > > security certificate show > > 9. > > security ssl show > > > On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <jordan.slingerland@gmail.com> wrote: > I was hoping to see this email signed Charles Heese or something. That would have made my morning. > > On Wed, Jun 12, 2019, 9:52 AM <cheese@nosuchhost.net> wrote: > hi > > i have several systems with ontap 9.3P10 and have messages like: > 6/12/2019 00:00:01 L1Q-A1 ERROR > mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified > Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s). > > what should i do here? my netapp partner told me to renew them via > deleteing them and creating new certs. > > i should create a new server-ca, which is not even an option in ontap > (even with advanced privileges) ? > i think this must be wrong. > > i hope others have the same problem and a solution. > > yours > josef > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > >_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Hey Josef,
not sure if there's a cert package you can install using this command, but the basic security certificate install works with standard PEM encoded data, f.ex. here's the command I used to install the new DigiCert CA on our filers with older Ontap releases where DigiCert was not included in Ontap already.
::> security certificate install -type server-ca
Please enter Certificate: Press <Enter> when done -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
You should keep a copy of the CA-signed digital certificate for future reference.
As always, running on a recent Ontap version usually fixes these kind of problems, since the root certificates also get updated along with newer Ontap releases.
Best,
Alexander Griesser Head of Systems Operations
ANEXIA Internetdienstleistungs GmbH
E-Mail: AGriesser@anexia-it.com Web: http://www.anexia-it.com
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
-----Ursprüngliche Nachricht----- Von: toasters-bounces@teaparty.net toasters-bounces@teaparty.net Im Auftrag von cheese@nosuchhost.net Gesendet: Freitag, 14. Juni 2019 07:45 An: Douglas Siggins siggins@gmail.com Cc: Toasters toasters@teaparty.net Betreff: Re: server-ca certs expiring
you sir are my hero! "install" instead of "create" should be the correct way to handle that situation. now i only need to get the currently valid cert-package from netapp. thanks josef
On Thu, 13 Jun 2019, Douglas Siggins wrote:
Does this not answer your question? security certificate install Data ONTAP 9.1 security certificate install
NAME security certificate install -- Install a Digital Certificate
AVAILABILITY This command is available to cluster and Vserver administrators at the admin privilege level.
DESCRIPTION The security certificate install command installs digital security certificates signed by a certificate authority (CA) and the public key certificate of the root CA. Digital security certifi- cates also include the intermediate certificates to construct the chain for server certificates (the server type), client-side root CA certificates (the client-ca type), or server-side root CA certificates (the server-ca type). with FIPS enabled, the following restrictions apply to the certificate getting installed. server/client/server-ca/client-ca: Key size >= 2048,server/client: Hash function (No MD-5, No SHA-1),server-ca/client-ca: (Intermediate CA), Hash Function (No MD-5, No SHA-1), server-ca/client-ca: (Root CA), Hash Function (No MD-5)
On Thu, Jun 13, 2019 at 1:05 PM tmac tmacmd@gmail.com wrote: Just for kicks, I looked at ONTAP 9.5 & 9.6.The same certs exist there also!
Maybe open a case with netapp to update or remove the certs in ONTAP itself?
--tmac Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam
On Thu, Jun 13, 2019 at 5:17 AM cheese@nosuchhost.net wrote: Thanks for answering your steps would work for self signed certificates, but whose expiring in my case are the ca's from other organisations, installed from netapp.
currently i have 3 of the expiring in the near future: L1Q::> security certificate show -type server-ca -expiration <"Thu Jul 11 01:59:00 2019" Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ L1Q 85BD4BF3D8DAE369F694D75FC3A54423 Class2PrimaryCA server-ca Certificate Authority: Class 2 Primary CA Expiration Date: Sun Jul 07 01:59:59 2019 L1Q 26 DeutscheTelekomRootCA2 server-ca Certificate Authority: Deutsche Telekom Root CA 2 Expiration Date: Wed Jul 10 01:59:00 2019 L1Q 44BE0C8B500024B411D3362AFE650AFD UTN-USERFirst-Hardware server-ca Certificate Authority: UTN-USERFirst-Hardware Expiration Date: Tue Jul 09 20:19:22 2019 3 entries were displayed. as far as i see those certs are used when my netapp tries to connect itself to ssl-enabled services with certs signed from that CAs. may i should only delete them to get rid of that messages in my eventlog. yours josef (no charles heese here, sorry :)) On Wed, 12 Jun 2019, Douglas Siggins wrote: > Pretty sure we do something like this: > 1. security ssl show > 2. security certificate show -vserver vserver_name -common-name common_name -instance > 3. security certificate delete -vserver vserver_name -common-name common_name -ca common_name -type server -serial serial_number > 4. security certificate create -vserver vserver_name -type server -size 2048 -expire-days (days here) -common-name common_name -hash-function SHA256 -country US -protocol SSL > 5. security ssl show > 6. security certificate show -vserver vserver_name -common-name common_name -instance > 7. ssl modify -vserver vserver_name -server-enabled true -client-enabled false -common-name common_name -ca common_name -serial serial_number > 8. > > security certificate show > > 9. > > security ssl show > > > On Wed, Jun 12, 2019 at 9:58 AM jordan slingerland <jordan.slingerland@gmail.com> wrote: > I was hoping to see this email signed Charles Heese or something. That would have made my morning. > > On Wed, Jun 12, 2019, 9:52 AM <cheese@nosuchhost.net> wrote: > hi > > i have several systems with ontap 9.3P10 and have messages like: > 6/12/2019 00:00:01 L1Q-A1 ERROR > mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified > Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver L1Q will expire in the next 25 day(s). > > what should i do here? my netapp partner told me to renew them via > deleteing them and creating new certs. > > i should create a new server-ca, which is not even an option in ontap > (even with advanced privileges) ? > i think this must be wrong. > > i hope others have the same problem and a solution. > > yours > josef > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > _______________________________________________ > Toasters mailing list > Toasters@teaparty.net > http://www.teaparty.net/mailman/listinfo/toasters > > >_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Alexander Griesser -
cheese@nosuchhost.net -
Douglas Siggins -
jordan slingerland -
tmac