Manage certificates with System Manager

Contributors

Beginning with ONTAP 9.10.1, you can use System Manager to manage trusted certificate authorities, client/server certificates, and local (onboard) certificate authorities.

With System Manager, you can manage the certificates received from other applications so you can authenticate communications from those applications. You can also manage your own certificates that identify your system to other applications.

View certificate information

With System Manager, you can view trusted certificate authorities, client/server certificates, and local certificate authorities that are stored on the cluster.

Steps
  1. In System Manager, click Cluster > Settings.

  2. Scroll to the Security area.

    In the Certificates section, the following details are displayed:

    • The number of stored trusted certificate authorities.

    • The number of stored client/server certificates.

    • The number of stored local certificate authorities.

  3. Click any number to view details about a category of certificates, or click right arrow to view the Certificates page, which contains information about all categories.

    The list displays the information for the entire cluster. If you want to display information for only a specific storage VM, perform the following steps:

    1. Click Storage > Storage VMs.

    2. Select the storage VM.

    3. View the Settings tab.

    4. Click a number shown in the Certificate section.

What to do next
  • From the Certificates page, you can Generate a certificate signing request.

  • The certificate information is separated into three tabs, one for each category. You can perform the following tasks from each tab:

On this tab…​

You can perform these procedures…​

Trusted certificate authorities

Client/server certificates

Local certificate authorities

Generate a certificate signing request

You can generate a certificate signing request (CSR) with System Manager from any tab of the Certificates page. A private key and a corresponding CSR are generated, which can be signed using a certificate authority to generate a public certificate.

Steps
  1. View the Certificates page. See View certificate information.

  2. Click +Generate CSR.

  3. Complete the information for the subject name:

    1. Enter a common name.

    2. Select a country.

    3. Enter an organization.

    4. Enter an organization unit.

  4. If you want to override defaults, select More Options and provide additional information.

Install (add) a trusted certificate authority

You can install additional trusted certificate authorities in System Manager.

Steps
  1. View the Trusted Certificate Authorities tab. See View certificate information.

  2. Click add icon.

  3. On the Add Trusted Certificate Authority panel, perform the following:

    • Enter a name.

    • For the scope, select a storage VM.

    • Enter a common name.

    • Select a type.

    • Enter or import certificate details.

Delete a trusted certificate authority

With System Manager, you can delete a trusted certificate authority.

Note You cannot delete trusted certificate authorities that were preinstalled with ONTAP.
Steps
  1. View the Trusted Certificate Authorities tab. See View certificate information.

  2. Click the name of the trusted certificate authority.

  3. Click kebab icon next to the name, then click Delete.

Renew a trusted certificate authority

With System Manager, you can renew a trusted certificate authority that has expired or is about to expire.

Steps
  1. View the Trusted Certificate Authorities tab. See View certificate information.

  2. Click the name of the trusted certificate authority.

  3. Click kebab icon next to the name, then click Renew.

Install (add) a client/server certificate

With System Manager, you can install additional client/server certificates.

Steps
  1. View the Client/Server Certificates tab. See View certificate information.

  2. Click add icon.

  3. On the Add Client/Server Certificate panel, perform the following:

    • Enter a certificate name.

    • For the scope, select a storage VM.

    • Enter a common name.

    • Select a type.

    • Enter or import certificate details.

      You can either write in or copy and paste in the certificate details from a text file or you can import the text from a certificate file by clicking Import.

    • Enter a the private key.

      You can either write in or copy and paste in the private key from a text file or you can import the text from a private key file by clicking Import.

Generate (add) a self-signed client/server certificate

With System Manager, you can generate additional self-signed client/server certificates.

Steps
  1. View the Client/Server Certificates tab. See View certificate information.

  2. Click +Generate Self-signed Certificate.

  3. On the Generate Self-Signed Certificate panel, perform the following:

    • Enter a certificate name.

    • For the scope, select a storage VM.

    • Enter a common name.

    • Select a type.

    • Select a hash function.

    • Select a key size.

    • Select a storage VM.

Delete a client/server certificate

With System Manager, you can delete client/server certificates.

Steps
  1. View the Client/Server Certificates tab. See View certificate information.

  2. Click the name of the client/server certificate.

  3. Click kebab icon next to the name, then click Delete.

Renew a client/server certificate

With System Manager, you can renew a client/server certificate that has expired or is about to expire.

Steps
  1. View the Client/Server Certificates tab. See View certificate information.

  2. Click the name of the client/server certificate.

  3. Click kebab icon next to the name, then click Renew.

Create a new local certificate authority

With System Manager, you can create a new local certificate authority.

Steps
  1. View the Local Certificate Authorities tab. See View certificate information.

  2. Click add icon.

  3. On the Add Local Certificate Authority panel, perform the following:

    • Enter a name.

    • For the scope, select a storage VM.

    • Enter a common name.

  4. If you want to override defaults, select More Options and provide additional information.

Sign a certificate using a local certificate authority

In System Manager, you can use a local certificate authority to sign a certificate.

Steps
  1. View the Local Certificate Authorities tab. See View certificate information.

  2. Click the name of the local certificate authority.

  3. Click kebab icon next to the name, then click Sign a certificate.

  4. Complete the Sign a Certificate Signing Request form.

    • You can either paste in the certificate signing content or import a certificate signing request file by clicking Import.

    • Specify the number of days for which the certificate will be valid.

Delete a local certificate authority

With System Manager, you can delete a local certificate authority.

Steps
  1. View the Local Certificate Authority tab. See View certificate information.

  2. Click the name of the local certificate authority.

  3. Click kebab icon next to the name, then click Delete.

Renew a local certificate authority

With System Manager, you can renew a local certificate authority that has expired or is about to expire.

Steps
  1. View the Local Certificate Authority tab. See View certificate information.

  2. Click the name of the local certificate authority.

  3. Click kebab icon next to the name, then click Renew.