Verify the ONTAP Mediator code signature
Suggest changes
PDFs
NetApp recommends verifying the ONTAP Mediator code signature before installation. This step is optional.
Make sure your system meets these needs before verifying the ONTAP Mediator code signature.
|
|
-
openssl versions 1.0.2 to 3.0 for basic verification
-
openssl version 1.1.0 or later for Time Stamping Authority (TSA) operations
-
Public internet access for OCSP verification
The download package includes the following files:
File |
Description |
|---|---|
|
The public key used to verify the signature |
|
The public certification CA chain of trust |
|
The certificate used to generate the key |
|
The product installation executable for version 1.11 |
|
The SHA-256 hashed, then RSA-signed using the csc-prod key, signature for the installer |
|
The revocation request for use by OCSCP for the installer’s signature |
|
The timestamp signing request file |
|
The public certificate for the TSR |
|
The public certificate CA Chain for the TSR |
-
Perform the revocation check on
csc-prod-ONTAP-Mediator.pemby using Online Certificate Status Protocol (OCSP).-
Find the OCSP URL for the certificate. Developer certificates might not provide a URI:
openssl x509 -noout -ocsp_uri -in csc-prod-chain-ONTAP-Mediator.pem
-
Generate an OCSP request for the certificate.
openssl ocsp -issuer csc-prod-chain-ONTAP-Mediator.pem -CAfile csc-prod-chain-ONTAP-Mediator.pem -cert csc-prod-ONTAP-Mediator.pem -reqout req.der
-
Connect to the OCSP Manager to send the OCSP request:
openssl ocsp -issuer csc-prod-chain-ONTAP-Mediator.pem -CAfile csc-prod-chain-ONTAP-Mediator.pem -cert csc-prod-ONTAP-Mediator.pem -url ${ocsp_uri} -resp_text -respout resp.der -verify_other csc-prod-chain-ONTAP-Mediator.pem
-
-
Verify the trust chain of the CSC and expiration dates against the local host:
openssl verify
The opensslversion from the PATH must have a validcert.pem(not self-signed).openssl verify -untrusted csc-prod-chain-ONTAP-Mediator.pem -CApath ${OPENSSLDIR} csc-prod-ONTAP-Mediator.pem # Failure action: The Code-Signature-Check certificate has expired or is invalid. Download a newer version of the ONTAP Mediator. openssl verify -untrusted tsa-prod-chain-ONTAP-Mediator.pem -CApath ${OPENSSLDIR} tsa-prod-ONTAP-Mediator.pem # Failure action: The Time-Stamp certificate has expired or is invalid. Download a newer version of the ONTAP Mediator. -
Verify the
ontap-mediator-1.11.0.sig.tsrandontap-mediator-1.11.0.tsrfiles using the associated certificates:OpenSSL 3.xopenssl ts -verify -data ontap-mediator-1.11.0.sig -in ontap-mediator-1.11.0.sig.tsr -CAfile tsa-prod-chain-ONTAP-Mediator.pem -untrusted tsa-prod-ONTAP-Mediator.pemOpenSSL 1.xopenssl ts -verify -data ontap-mediator-1.11.0 -in ontap-mediator-1.11.0.tsr -CAfile tsa-prod-chain-ONTAP-Mediator.pem -partial_chain
.tsrfiles contain the time stamp response associated with the installer and the code signature. Processing confirms that the time stamp has a valid signature from TSA and that your input file has not changed. Your machine performs the verification locally. You do not need to access TSA servers. -
Verify signatures against the key:
openssl -dgst -verifyopenssl dgst -sha256 -verify ONTAP-Mediator-production.pub -signature ontap-mediator-1.11.0.sig ontap-mediator-1.11.0