Install the self-signed root CA certificate on the SVM


If LDAP authentication with TLS is required when binding to LDAP servers, you must first install the self-signed root CA certificate on the SVM.

About this task

When LDAP over TLS is enabled, the ONTAP LDAP client on the SVM does not support revoked certificates in ONTAP 9.0 and 9.1.

Starting in ONTAP 9.2, all applications within ONTAP that use TLS communications can check digital certificate status using Online Certificate Status Protocol (OCSP). If OCSP is enabled for LDAP over TLS, revoked certificates are rejected and the connection fails.

  1. Install the self-signed root CA certificate:

    1. Begin the certificate installation: security certificate install -vserver vserver_name -type server-ca

      The console output displays the following message: Please enter Certificate: Press <Enter> when done

    2. Open the certificate .pem file with a text editor, copy the certificate, including the lines beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, and then paste the certificate after the command prompt.

    3. Verify that the certificate is displayed correctly.

    4. Complete the installation by pressing Enter.

  2. Verify that the certificate is installed: security certificate show -vserver vserver_name