Manage certificates with System Manager
Beginning with ONTAP 9.10.1, you can use System Manager to manage trusted certificate authorities, client/server certificates, and local (onboard) certificate authorities.
With System Manager, you can manage the certificates received from other applications so you can authenticate communications from those applications. You can also manage your own certificates that identify your system to other applications.
View certificate information
With System Manager, you can view trusted certificate authorities, client/server certificates, and local certificate authorities that are stored on the cluster.
-
In System Manager, select Cluster > Settings.
-
Scroll to the Security area.
In the Certificates section, the following details are displayed:-
The number of stored trusted certificate authorities.
-
The number of stored client/server certificates.
-
The number of stored local certificate authorities.
-
-
Select any number to view details about a category of certificates, or select to open the Certificates page, which contains information about all categories.
The list displays the information for the entire cluster. If you want to display information for only a specific storage VM, perform the following steps:-
Select Storage > Storage VMs.
-
Select the storage VM.
-
Switch to the Settings tab.
-
Select a number shown in the Certificate section.
-
-
From the Certificates page, you can Generate a certificate signing request.
-
The certificate information is separated into three tabs, one for each category. You can perform the following tasks from each tab:
On this tab… |
You can perform these procedures… |
---|---|
Trusted certificate authorities |
|
Client/server certificates |
|
Local certificate authorities |
Generate a certificate signing request
You can generate a certificate signing request (CSR) with System Manager from any tab of the Certificates page. A private key and a corresponding CSR are generated, which can be signed using a certificate authority to generate a public certificate.
-
View the Certificates page. See View certificate information.
-
Select +Generate CSR.
-
Complete the information for the subject name:
-
Enter a common name.
-
Select a country.
-
Enter an organization.
-
Enter an organization unit.
-
-
If you want to override defaults, select More Options and provide additional information.
Install (add) a trusted certificate authority
You can install additional trusted certificate authorities in System Manager.
-
View the Trusted Certificate Authorities tab. See View certificate information.
-
Select .
-
On the Add Trusted Certificate Authority panel, perform the following:
-
Enter a name.
-
For the scope, select a storage VM.
-
Enter a common name.
-
Select a type.
-
Enter or import certificate details.
-
Delete a trusted certificate authority
With System Manager, you can delete a trusted certificate authority.
You cannot delete trusted certificate authorities preinstalled with ONTAP. |
-
View the Trusted Certificate Authorities tab. See View certificate information.
-
Select the name of the trusted certificate authority.
-
Select next to the name, then select Delete.
Renew a trusted certificate authority
With System Manager, you can renew a trusted certificate authority that has expired or is about to expire.
-
View the Trusted Certificate Authorities tab. See View certificate information.
-
Select the name of the trusted certificate authority.
-
Select next to the certificate name then Renew.
Install (add) a client/server certificate
With System Manager, you can install additional client/server certificates.
-
View the Client/Server Certificates tab. See View certificate information.
-
Select .
-
On the Add Client/Server Certificate panel, perform the following:
-
Enter a certificate name.
-
For the scope, select a storage VM.
-
Enter a common name.
-
Select a type.
-
Enter or import certificate details.
You can either write in or copy and paste in the certificate details from a text file or you can import the text from a certificate file by clicking Import. -
Enter the private key.
You can either write in or copy and paste in the private key from a text file or you can import the text from a private key file by clicking Import.
-
Generate (add) a self-signed client/server certificate
With System Manager, you can generate additional self-signed client/server certificates.
-
View the Client/Server Certificates tab. See View certificate information.
-
Select +Generate Self-signed Certificate.
-
On the Generate Self-Signed Certificate panel, perform the following:
-
Enter a certificate name.
-
For the scope, select a storage VM.
-
Enter a common name.
-
Select a type.
-
Select a hash function.
-
Select a key size.
-
Select a storage VM.
-
Delete a client/server certificate
With System Manager, you can delete client/server certificates.
-
View the Client/Server Certificates tab. See View certificate information.
-
Select the name of the client/server certificate.
-
Select next to the name, then click Delete.
Renew a client/server certificate
With System Manager, you can renew a client/server certificate that has expired or is about to expire.
-
View the Client/Server Certificates tab. See View certificate information.
-
Select the name of the client/server certificate.
-
Select next to the name, then click Renew.
Create a new local certificate authority
With System Manager, you can create a new local certificate authority.
-
View the Local Certificate Authorities tab. See View certificate information.
-
Select .
-
On the Add Local Certificate Authority panel, perform the following:
-
Enter a name.
-
For the scope, select a storage VM.
-
Enter a common name.
-
-
If you want to override defaults, select More Options and provide additional information.
Sign a certificate using a local certificate authority
In System Manager, you can use a local certificate authority to sign a certificate.
-
View the Local Certificate Authorities tab. See View certificate information.
-
Select the name of the local certificate authority.
-
Select next to the name then Sign a certificate.
-
Complete the Sign a Certificate Signing Request form.
-
You can either paste in the certificate signing content or import a certificate signing request file by clicking Import.
-
Specify the number of days for which the certificate will be valid.
-
Delete a local certificate authority
With System Manager, you can delete a local certificate authority.
-
View the Local Certificate Authority tab. See View certificate information.
-
Select the name of the local certificate authority.
-
Select next to the name then Delete.
Renew a local certificate authority
With System Manager, you can renew a local certificate authority that has expired or is about to expire.
-
View the Local Certificate Authority tab. See View certificate information.
-
Select the name of the local certificate authority.
-
Select next to the name, then click Renew.