Skip to main content

Install a CA certificate on a cluster for ONTAP S3

Contributors netapp-lenida netapp-aherbin johnlantz netapp-ahibbard netapp-thomi
PDFs

Using CA certificates creates a trusted relationship between client applications and the ONTAP S3 object store server. A CA certificate should be installed on ONTAP before using it as an object store that is accessible to remote clients.

Unless you plan to disable certificate checking for ONTAP S3, you must install a ONTAP S3 CA certificate on the cluster so that ONTAP can authenticate with ONTAP S3 as the object store for FabricPool.

Although ONTAP can generate self-signed certificates, using signed certificates from a third-party certificate authority is the recommended best practice.

Steps

  1. Obtain the ONTAP S3 system's CA certificate.

  2. Use the security certificate install command with the -type server-ca parameter to install the ONTAP S3 CA certificate on the cluster.

    The fully qualified domain name (FQDN) you enter must match the custom common name on the ONTAP S3 CA certificate.

Update an expired certificate

To update an expired certificate, the best practice is to use a trusted CA to generate the new server certificate. In addition, you should ensure that the certificate is updated on the ONTAP S3 server and on the ONTAP cluster at the same time to keep any downtime to a minimum.

You can use System Manager to renew an expired certificate on an ONTAP cluster.

Steps

  1. Navigate to Cluster > Settings.

  2. Scroll to the Security section, locate the Certificates pane, and click Arrow icon.

  3. In the Trusted certificate authorities tab, locate the name of the certificate you want to renew.

  4. Next to the certificate name click Menu options icon and select Renew.

  5. In the Renew trusted certificate authority window, copy and paste or import the certificate information into the Certificate details area.

  6. Click Renew.

Related information

S3 configuration