security certificate create
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
Create and Install a Self-Signed Digital Certificate
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security certificate create
command creates and installs a self-signed digital certificate, which can be used for server authentication, for signing other certificates by acting as a certificate authority (CA), or for Data ONTAP as an SSL client. The certificate function is selected by the -type field. Self-signed digital certificates are not as secure as certificates signed by a CA. Therefore, they are not recommended in a production environment.
Parameters
-vserver <Vserver Name>
- Name of Vserver-
This specifies the name of the Vserver on which the certificate will exist.
-common-name <FQDN or Custom Common Name>
- FQDN or Custom Common Name-
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:
-
Letters a through z, A through Z
-
Numbers 0 through 9
-
Asterisk (*), period (.), underscore (_) and hyphen (-)
The common name must not start or end with a "-" or a ".". The maximum length is 253 characters.
-
-type <type of certificate>
- Type of Certificate-
This specifies the certificate type. Valid values are the following:
-
server
- creates and installs a self-signed digital certificate and intermediate certificates to be used for server authentication -
root-ca
- creates and installs a self-signed digital certificate to sign other certificates by acting as a certificate authority (CA) -
client
- includes a self-signed digital certificate and private key to be used for Data ONTAP as an SSL client
-
[-subtype <kmip-cert>]
- Certificate Subtype-
This specifies a certificate subtype. This optional parameter can have an empty value (the default). The only valid value is as follows:
-
kmip-cert
- this is a Key Management Interoperability Protocol (KMIP) certificate
-
-size <size of requested certificate in bits>
- Size of Requested Certificate in Bits-
This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible values include
512
,1024
,1536
,2048
and3072
when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are2048
and3072
. -country <text>
- Country Name-
This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes:
Country Codes -state <text>
- State or Province Name-
This specifies the state or province where the Vserver resides.
-locality <text>
- Locality Name-
This specifies the locality where the Vserver resides. For example, the name of a city.
-organization <text>
- Organization Name-
This specifies the organization where the Vserver resides. For example, the name of a company.
-unit <text>
- Organization Unit-
This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.
-email-addr <mail address>
- Contact Administrator's Email Address-
This specifies the email address of the contact administrator for the Vserver.
-expire-days <integer>
- Number of Days until Expiration-
This specifies the number of days until the certificate expires. The default value is 365 days. Possible values are between
1
and3652
. -protocol <protocol>
- Protocol-
This specifies the protocol type. This parameter currently supports only the SSL protocol type. The default is SSL.
-hash-function <hashing function>
- Hashing Function-
This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include
SHA1
,SHA256
,MD5
,SHA224
,SHA384
andSHA512
when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values areSHA224
,SHA256
,SHA384
andSHA512
Examples
This example creates a server type, self-signed digital certificate for a Vserver named vs0 at a company whose custom common name is www.example.com
and whose Vserver name is vs0.
cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type server
This example creates a root-ca type, self-signed digital certificate with a 2048-bit private key generated by the SHA256 hashing function that will expire in 365 days for a Vserver named vs0 for use by the Software group in IT at a company whose custom common name is www.example.com
, located in Sunnyvale, California, USA. The email address of the contact administrator who manages the Vserver is web@example.com
.
cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type root-ca -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256
This example creates a client type of self-signed digital certificate for a Vserver named vs0 at a company that uses Data ONTAP as an SSL client. The company's custom common name is www.example.com
and its Vserver name is vs0.
cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type client -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256