security certificate create

Create and Install a Self-Signed Digital Certificate

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security certificate create command creates and installs a self-signed digital certificate, which can be used for server authentication, for signing other certificates by acting as a certificate authority (CA), or for Data ONTAP as an SSL client. The certificate function is selected by the -type field. Self-signed digital certificates are not as secure as certificates signed by a CA. Therefore, they are not recommended in a production environment.

Parameters

-vserver <Vserver Name> - Name of Vserver
This specifies the name of the Vserver on which the certificate will exist.
-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:
  • Letters a through z, A through Z
  • Numbers 0 through 9
  • Asterisk (*), period (.), underscore (_) and hyphen (-)
The common name must not start or end with a "-" or a ".". The maximum length is 253 characters.
-type <type of certificate> - Type of Certificate
This specifies the certificate type. Valid values are the following:
  • server - creates and installs a self-signed digital certificate and intermediate certificates to be used for server authentication
  • root-ca - creates and installs a self-signed digital certificate to sign other certificates by acting as a certificate authority (CA)
  • client - includes a self-signed digital certificate and private key to be used for Data ONTAP as an SSL client
[-subtype <kmip-cert>] - (DEPRECATED)-Certificate Subtype
Note: This parameter has been deprecated in ONTAP 9.6 and may be removed in a future release of Data ONTAP.
This specifies a certificate subtype. This optional parameter can have an empty value (the default). The only valid value is as follows:
  • kmip-cert - this is a Key Management Interoperability Protocol (KMIP) certificate
[-cert-name <text>] - Unique Certificate Name
This specifies the system's internal identifier for the certificate. It must be unique within a Vserver. If not provided, it is automatically generated by the system.
-size <size of requested certificate in bits> - Size of Requested Certificate in Bits
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are 2048 and 3072.
-country <text> - Country Name
This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes: Country Codes
-state <text> - State or Province Name
This specifies the state or province where the Vserver resides.
-locality <text> - Locality Name
This specifies the locality where the Vserver resides. For example, the name of a city.
-organization <text> - Organization Name
This specifies the organization where the Vserver resides. For example, the name of a company.
-unit <text> - Organization Unit
This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.
-email-addr <mail address> - Contact Administrator's Email Address
This specifies the email address of the contact administrator for the Vserver.
-expire-days <integer> - Number of Days until Expiration
This specifies the number of days until the certificate expires. The default value is 365 days. Possible values are between 1 and 3652.
-protocol <protocol> - Protocol
This specifies the protocol type. This parameter currently supports only the SSL protocol type. The default is SSL.
-hash-function <hashing function> - Hashing Function
This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include SHA1, SHA256, MD5, SHA224, SHA384 and SHA512 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are SHA224, SHA256, SHA384 and SHA512

Examples

This example creates a server type, self-signed digital certificate for a Vserver named vs0 at a company whose custom common name is www.example.com and whose Vserver name is vs0.

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type server

This example creates a root-ca type, self-signed digital certificate with a 2048-bit private key generated by the SHA256 hashing function that will expire in 365 days for a Vserver named vs0 for use by the Software group in IT at a company whose custom common name is www.example.com, located in Sunnyvale, California, USA. The email address of the contact administrator who manages the Vserver is web@example.com.

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type root-ca -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256 

This example creates a client type of self-signed digital certificate for a Vserver named vs0 at a company that uses Data ONTAP as an SSL client. The company's custom common name is www.example.com and its Vserver name is vs0.

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type client -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256