Skip to main content

security certificate create

Contributors
Suggest changes
PDFs

Create and Install a Self-Signed Digital Certificate

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security certificate create command creates and installs a self-signed digital certificate, which can be used for server authentication, for signing other certificates by acting as a certificate authority (CA), or for Data ONTAP as an SSL client. The certificate function is selected by the -type field. Self-signed digital certificates are not as secure as certificates signed by a CA. Therefore, they are not recommended in a production environment.

Parameters

-vserver <Vserver Name> - Name of Vserver

This specifies the name of the Vserver on which the certificate will exist.

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name

This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:

  • Letters a through z, A through Z

  • Numbers 0 through 9

  • Asterisk (*), period (.), underscore (_) and hyphen (-)

The common name must not start or end with a "-" or a ".". The maximum length is 253 characters.

-type <type of certificate> - Type of Certificate

This specifies the certificate type. Valid values are the following:

  • server - creates and installs a self-signed digital certificate and intermediate certificates to be used for server authentication

  • root-ca - creates and installs a self-signed digital certificate to sign other certificates by acting as a certificate authority (CA)

  • client - includes a self-signed digital certificate and private key to be used for Data ONTAP as an SSL client

[-subtype <kmip-cert>] - (DEPRECATED)-Certificate Subtype
Note This parameter has been deprecated in ONTAP 9.6 and may be removed in a future release of Data ONTAP. 
This specifies a certificate subtype. This optional parameter can have an empty value (the default). The only valid value is as follows:

  • kmip-cert - this is a Key Management Interoperability Protocol (KMIP) certificate

[-cert-name <text>] - Unique Certificate Name

This specifies the system's internal identifier for the certificate. It must be unique within a Vserver. If not provided, it is automatically generated by the system.

-size <size of requested certificate in bits> - Size of Requested Certificate in Bits

This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible values include 512 , 1024 , 1536 , 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are 2048 and 3072 .

-country <text> - Country Name

This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes:
Country Codes

-state <text> - State or Province Name

This specifies the state or province where the Vserver resides.

-locality <text> - Locality Name

This specifies the locality where the Vserver resides. For example, the name of a city.

-organization <text> - Organization Name

This specifies the organization where the Vserver resides. For example, the name of a company.

-unit <text> - Organization Unit

This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.

-email-addr <mail address> - Contact Administrator's Email Address

This specifies the email address of the contact administrator for the Vserver.

-expire-days <integer> - Number of Days until Expiration

This specifies the number of days until the certificate expires. The default value is 365 days. Possible values are between 1 and 3652 .

-protocol <protocol> - Protocol

This specifies the protocol type. This parameter currently supports only the SSL protocol type. The default is SSL.

-hash-function <hashing function> - Hashing Function

This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include SHA256 , SHA224 , SHA384 and SHA512 .

Examples

This example creates a server type, self-signed digital certificate for a Vserver named vs0 at a company whose custom common name is www.example.com and whose Vserver name is vs0.

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type server

This example creates a root-ca type, self-signed digital certificate with a 2048-bit private key generated by the SHA256 hashing function that will expire in 365 days for a Vserver named vs0 for use by the Software group in IT at a company whose custom common name is www.example.com , located in Sunnyvale, California, USA. The email address of the contact administrator who manages the Vserver is web@example.com .

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type root-ca -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256

This example creates a client type of self-signed digital certificate for a Vserver named vs0 at a company that uses Data ONTAP as an SSL client. The company's custom common name is www.example.com and its Vserver name is vs0.

cluster1::> security certificate create -vserver vs0 -common-name www.example.com -type client -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -expire-days 365 -hash-function SHA256