Installing a CA-signed server certificate for the cluster

To enable an SSL server to authenticate the cluster or storage virtual machine (SVM) as an SSL client, you install a digital certificate with the client type on the cluster or SVM. Then you provide the client-ca certificate to the SSL server administrator for installation on the server.

Before you begin

You must have already installed the root certificate of the SSL server on the cluster or SVM with the server-ca certificate type.

Steps

  1. To use a self-signed digital certificate for client authentication, use the security certificate create command with the type client parameter.
  2. To use a CA-signed digital certificate for client authentication, complete the following steps:
    1. Generate a digital certificate signing request (CSR) by using the security certificate generate-csr command.
      ONTAP displays the CSR output, which includes a certificate request and private key, and reminds you to copy the output to a file for future reference.
    2. Send the certificate request from the CSR output in an electronic form (such as email) to a trusted CA for signing.
      You should keep a copy of the private key and the CA-signed certificate for future reference.
      After processing your request, the CA sends you the signed digital certificate.
    3. Install the CA-signed certificate by using the security certificate install command with the -type client parameter.
    4. Enter the certificate and the private key when you are prompted, and then press Enter.
    5. Enter any additional root or intermediate certificates when you are prompted, and then press Enter.
      You install an intermediate certificate on the cluster or SVM if a certificate chain that begins at the trusted root CA, and ends with the SSL certificate issued to you, is missing the intermediate certificates. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, goes through the intermediate certificate, and ends with the SSL certificate issued to you.
  3. Provide the client-ca certificate of the cluster or SVM to the administrator of the SSL server for installation on the server.
    The security certificate show command with the -instance and -type client-ca parameters displays the client-ca certificate information.