Install a CA certificate on a cluster for ONTAP S3
Using CA certificates creates a trusted relationship between client applications and the ONTAP S3 object store server. A CA certificate should be installed on ONTAP before using it as an object store that is accessible to remote clients.
Unless you plan to disable certificate checking for ONTAP S3, you must install a ONTAP S3 CA certificate on the cluster so that ONTAP can authenticate with ONTAP S3 as the object store for FabricPool.
Although ONTAP can generate self-signed certificates, using signed certificates from a third-party certificate authority is the recommended best practice.
-
Obtain the ONTAP S3 system's CA certificate.
-
Use the
security certificate install
command with the-type
server-ca
parameter to install the ONTAP S3 CA certificate on the cluster.The fully qualified domain name (FQDN) you enter must match the custom common name on the ONTAP S3 CA certificate.
Update an expired certificate
To update an expired certificate, the best practice is to use a trusted CA to generate the new server certificate. In addition, you should ensure that the certificate is updated on the ONTAP S3 server and on the ONTAP cluster at the same time to keep any downtime to a minimum.