Replace SSL certificates

Contributors

All SSL certificates have an expiration date. You must update your certificates before they expire to prevent loss of access to authentication keys.

What you’ll need
  • You must have obtained the replacement public certificate and private key for the cluster (KMIP client certificate).

  • You must have obtained the replacement public certificate for the KMIP server (KMIP server-ca certificate).

  • You must be a cluster or SVM administrator to perform this task.

Note

You can install the replacement client and server certificates on the KMIP server before or after installing the certificates on the cluster.

Steps
  1. Install the new KMIP server-ca certificate:

    security certificate install -type server-ca -vserver <>`

  2. Install the new KMIP client certificate:

    security certificate install -type client -vserver <>

  3. Update the key manager configuration to use the newly installed certificates:

    security key-manager external modify -vserver <> -client-cert <> -server-ca-certs <>

    Note

    Updating the key manager configuration to use the newly installed certificates will return an error if the public/private keys of the new client certificate are different from the keys previously installed. Contact NetApp support for instructions on how to override this error.