Setting up Cloud Manager to be an intermediate CA

Cloud Manager must be an intermediate certificate authority (CA) because it needs to create client certificates for ONTAP Cloud. You set up Cloud Manager to be an intermediate CA by generating a certificate signing request (CSR), getting the CSR signed by a root CA, and then installing the certificate in Cloud Manager.


  1. In the upper-right corner of the Cloud Manager console, click the task drop-down list, and then select Encryption Setup.
  2. In the Intermediate CA tab, click Generate CSR.
    Cloud Manager displays a certificate signing request.
  3. Use the CSR to submit a certificate request to a CA.
    The intermediate CA certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.
  4. Copy the content of the signed certificate and paste it in the Cloud Manager certificate field.
  5. Click Install Cloud Manager Certificate.


Cloud Manager is now an intermediate CA—it can sign client certificates for ONTAP Cloud systems. The following image shows a Cloud Manager system that is configured to be an intermediate CA:

Screen shot: Shows the Cloud Manager certificate in the Intermediate CA tab, which appears after Cloud Manager is configured to be an intermediate CA

After you finish

If a KMIP server requires client certificate authentication, add the Cloud Manager intermediate CA and its root CA to the key manager's list of trusted CAs. This step is necessary because the key manager must verify that ONTAP Cloud client certificates were signed by a trusted CA.