Release notes
Manage SSH public keys and X.509 certificates for an administrator account
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
For increased SSH authentication security with administrator accounts, you can use the security login publickey set of commands to manage the SSH public key and its association with X.509 certificates. Learn more about security login publickey in the ONTAP command reference.
Associate a public key and X.509 certificate with an administrator account
Beginning with ONTAP 9.13.1, you can associate an X.509 certificate with the public key that you associate with the administrator account. This gives you the added security of certificate expiration or revocation checks upon SSH login for that account.
If you authenticate an account over SSH with both an SSH public key and an X.509 certificate, ONTAP checks the validity of the X.509 certificate before authenticating with the SSH public key. SSH login will be refused if that certificate is expired or revoked, and the public key will be automatically disabled.
-
You must be a cluster or SVM administrator to perform this task.
-
You must have generated the SSH key.
-
If you only need the X.509 certificate to be checked for expiration, you can use a self-signed certificate.
-
If you need the X.509 certificate to be checked for expiration and revocation:
-
You must have received the certificate from a certificate authority (CA).
-
You must install the certificate chain (intermediate and root CA certificates) using
security certificate installcommands. Learn more aboutsecurity certificate installin the ONTAP command reference. -
You need to enable OCSP for SSH. Refer to Verify digital certificates are valid using OCSP for instructions.
-
-
Associate a public key and an X.509 certificate with an administrator account:
security login publickey create -vserver SVM_name -username user_name -index index -publickey certificate -x509-certificate installLearn more about
security login publickey createin the ONTAP command reference. -
Verify the change by viewing the public key:
security login publickey show -vserver SVM_name -username user_name -index indexLearn more about
security login publickey showin the ONTAP command reference.
The following command associates a public key and X.509 certificate with the SVM administrator account svmadmin2 for the SVM engData2. The public key is assigned index number 6.
cluster1::> security login publickey create -vserver engData2 -username svmadmin2 -index 6 -publickey "<key text>" -x509-certificate install Please enter Certificate: Press <Enter> when done <certificate text>
Remove the certificate association from the SSH public key for an administrator account
You can remove the current certificate association from the account's SSH public key, while retaining the public key.
You must be a cluster or SVM administrator to perform this task.
-
Remove the X.509 certificate association from an administrator account, and retain the existing SSH public key:
security login publickey modify -vserver SVM_name -username user_name -index index -x509-certificate deleteLearn more about
security login publickey modifyin the ONTAP command reference. -
Verify the change by viewing the public key:
security login publickey show -vserver SVM_name -username user_name -index index
The following command removes the X.509 certificate association from the SVM administrator account svmadmin2 for the SVM engData2 at index number 6.
cluster1::> security login publickey modify -vserver engData2 -username svmadmin2 -index 6 -x509-certificate delete
Remove the public key and certificate association from an administrator account
You can remove the current public key and certificate configuration from an account.
You must be a cluster or SVM administrator to perform this task.
-
Remove the public key and an X.509 certificate association from an administrator account:
security login publickey delete -vserver SVM_name -username user_name -index indexLearn more about
security login publickey deletein the ONTAP command reference. -
Verify the change by viewing the public key:
security login publickey show -vserver SVM_name -username user_name -index index
The following command removes a public key and X.509 certificate from the SVM administrator account svmadmin3 for the SVM engData3 at index number 7.
cluster1::> security login publickey delete -vserver engData3 -username svmadmin3 -index 7
