Replace SSL certificates
All SSL certificates have an expiration date. You must update your certificates before they expire to prevent loss of access to authentication keys.
You must have obtained the replacement public certificate and private key for the cluster (KMIP client certificate).
You must have obtained the replacement public certificate for the KMIP server (KMIP server-ca certificate).
You must be a cluster or SVM administrator to perform this task.
You can install the replacement client and server certificates on the KMIP server before or after installing the certificates on the cluster.
Install the new KMIP server-ca certificate:
security certificate install -type server-ca -vserver <>`
Install the new KMIP client certificate:
security certificate install -type client -vserver <>
Update the key manager configuration to use the newly installed certificates:
security key-manager external modify -vserver <> -client-cert <> -server-ca-certs <>
Updating the key manager configuration to use the newly installed certificates will return an error if the public/private keys of the new client certificate are different from the keys previously installed. Contact NetApp support for instructions on how to override this error.