Generate and install a CA-signed server certificate overview
-
PDF of this doc site
- Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
Logical storage management with the CLI
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
-
Configure NFS with the CLI
- Security and data encryption
-
Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
On production systems, it is a best practice to install a CA-signed digital certificate for use in authenticating the cluster or SVM as an SSL server. You can use the security certificate generate-csr
command to generate a certificate signing request (CSR), and the security certificate install
command to install the certificate you receive back from the certificate authority.
Generate a certificate signing request
You can use the security certificate generate-csr
command to generate a certificate signing request (CSR). After processing your request, the certificate authority (CA) sends you the signed digital certificate.
You must be a cluster or SVM administrator to perform this task.
-
Generate a CSR:
security certificate generate-csr -common-name FQDN_or_common_name -size 512|1024|1536|2048 -country country -state state -locality locality -organization organization -unit unit -email-addr email_of_contact -hash-function SHA1|SHA256|MD5
CliThe following command creates a CSR with a 2048-bit private key generated by the
SHA256
hashing function for use by theSoftware
group in theIT
department of a company whose custom common name isserver1.companyname.com
, located in Sunnyvale, California, USA. The email address of the SVM contact administrator isweb@example.com
. The system displays the CSR and the private key in the output.Example of creating a CSR
cluster1::>security certificate generate-csr -common-name server1.companyname.com -size 2048 -country US -state California -locality Sunnyvale -organization IT -unit Software -email-addr web@example.com -hash-function SHA256 Certificate Signing Request : -----BEGIN CERTIFICATE REQUEST----- <certificate_value> -----END CERTIFICATE REQUEST----- Private Key : -----BEGIN RSA PRIVATE KEY----- <key_value> -----END RSA PRIVATE KEY----- NOTE: Keep a copy of your certificate request and private key for future reference.
-
Copy the certificate request from the CSR output, and send it in electronic form (such as email) to a trusted third-party CA for signing.
After processing your request, the CA sends you the signed digital certificate. You should keep a copy of the private key and the CA-signed digital certificate.
Install a CA-signed server certificate
You can use the security certificate install
command to install a CA-signed server certificate on an SVM. ONTAP prompts you for the certificate authority (CA) root and intermediate certificates that form the certificate chain of the server certificate.
You must be a cluster or SVM administrator to perform this task.
-
Install a CA-signed server certificate:
security certificate install -vserver SVM_name -type certificate_type
CliFor complete command syntax, see the worksheet.
ONTAP prompts you for the CA root and intermediate certificates that form the certificate chain of the server certificate. The chain starts with the certificate of the CA that issued the server certificate, and can range up to the root certificate of the CA. Any missing intermediate certificates result in the failure of server certificate installation.
The following command installs the CA-signed server certificate and intermediate certificates on SVM
engData2
.Example of installing a CA-signed server certificate intermediate certificates
cluster1::>security certificate install -vserver engData2 -type server Please enter Certificate: Press <Enter> when done -----BEGIN CERTIFICATE----- <certificate_value> -----END CERTIFICATE----- Please enter Private Key: Press <Enter> when done -----BEGIN RSA PRIVATE KEY----- <key_value> -----END RSA PRIVATE KEY----- Do you want to continue entering root and/or intermediate certificates {y|n}: y Please enter Intermediate Certificate: Press <Enter> when done -----BEGIN CERTIFICATE----- <certificate_value> -----END CERTIFICATE----- Do you want to continue entering root and/or intermediate certificates {y|n}: y Please enter Intermediate Certificate: Press <Enter> when done -----BEGIN CERTIFICATE----- <certificate_value> -----END CERTIFICATE----- Do you want to continue entering root and/or intermediate certificates {y|n}: n You should keep a copy of the private key and the CA-signed digital certificate for future reference.