Viewing default certificates for TLS-based applications

Beginning with ONTAP 9.2, ONTAP provides a default set of trusted root certificates for ONTAP applications using Transport Layer Security (TLS).

Before you begin

The default certificates are installed only on the admin SVM during its creation, or during an upgrade to ONTAP 9.2.

About this task

The current applications that act as a client and require certificate validation are AutoSupport, EMS, LDAP, Audit Logging, FabricPool, and KMIP.

When certificates expire, an EMS message is invoked that requests the user to delete the certificates. The default certificates can only be deleted at the advanced privilege level.

Note: Deleting the default certificates may result in some ONTAP applications not functioning as expected (for example, AutoSupport and Audit Logging).

Step

  1. You can view the default certificates that are installed on the admin SVM by using the security certificate show command: security certificate show –type server-ca.
    Example
    Cluster1::> security certificate show -type server-ca
Vserver   Serial Number     Common Name                 Type
--------- ----------------- --------------------------  --------
Cluster1  01                AAACertificateServices      server-ca
     Certificate Authority: AAA Certificate Services
           Expiration Date: Sun Dec 31 18:59:59 2028

Cluster1  570A119742C4E3    ActalisAuthenticationRootCA server-ca
     Certificate Authority: Actalis Authentication Root CA
           Expiration Date: Sun Sep 22 07:22:02 2030

Cluster1   01               AddTrustExternalCARoot      server-ca
     Certificate Authority: AddTrust External CA Root
           Expiration Date: Sat May 30 06:48:38 2020
Parent topic: Verifying the identity of remote servers using certificates
Copyright © 1994-2019, NetApp, Inc. All rights reserved.
Part number: 215-11148_2019-11_en-us
November 2019
Updated for ONTAP 9.7