Skip to main content

Replace SSL certificates

Contributors netapp-aoife netapp-ahibbard netapp-thomi netapp-aherbin

All SSL certificates have an expiration date. You must update your certificates before they expire to prevent loss of access to authentication keys.

Before you begin
  • You must have obtained the replacement public certificate and private key for the cluster (KMIP client certificate).

  • You must have obtained the replacement public certificate for the KMIP server (KMIP server-ca certificate).

  • You must be a cluster or SVM administrator to perform this task.

  • If you are replacing the KMIP SSL certificates in a MetroCluster environment, you must install the same replacement KMIP SSL certificate on both clusters.

Note You can install the replacement client and server certificates on the KMIP server before or after installing the certificates on the cluster.
Steps
  1. Install the new KMIP server-ca certificate:

    security certificate install -type server-ca -vserver <>

  2. Install the new KMIP client certificate:

    security certificate install -type client -vserver <>

  3. Update the key manager configuration to use the newly installed certificates:

    security key-manager external modify -vserver <> -client-cert <> -server-ca-certs <>

    If you are running ONTAP 9.6 or later in a MetroCluster environment, and you want to modify the key manager configuration on the admin SVM, you must run the command on both clusters in the configuration.

Note Updating the key manager configuration to use the newly installed certificates will return an error if the public/private keys of the new client certificate are different from the keys previously installed. See the Knowledge Base article The new client certificate public or private keys are different from the existing client certificate for instructions on how to override this error.