Skip to main content

Generate a certificate signing request for the cluster in ONTAP

Contributors netapp-dbagwell netapp-aherbin netapp-aaron-holt netapp-barbe

You can use the security certificate generate-csr command to generate a certificate signing request (CSR). After processing your request, the certificate authority (CA) sends you the signed digital certificate.

Before you begin

You must be a cluster administrator or SVM administrator to perform this task.

Steps
  1. Generate a CSR:

    security certificate generate-csr -common-name FQDN_or_common_name -size 512|1024|1536|2048 -country country -state state -locality locality -organization organization -unit unit -email-addr email_of_contact -hash-function SHA1|SHA256|MD5

    Learn more about security certificate generate-csr in the ONTAP command reference.

    The following command creates a CSR with a 2,048-bit private key generated by the SHA256 hashing function for use by the Software group in the IT department of a company whose custom common name is server1.companyname.com, located in Sunnyvale, California, USA. The email address of the SVM contact administrator is web@example.com. The system displays the CSR and the private key in the output.

    cluster1::>security certificate generate-csr -common-name
    server1.companyname.com -size 2048 -country US -state California -
    locality Sunnyvale -organization IT -unit Software -email-addr
    web@example.com -hash-function SHA256
    Certificate Signing Request :
    -----BEGIN CERTIFICATE REQUEST-----
    <certificate_value>
    -----END CERTIFICATE REQUEST-----
    Private Key :
    24 | Administrator Authentication and RBAC
    -----BEGIN RSA PRIVATE KEY-----
    <key_value>
    -----END RSA PRIVATE KEY-----
    Note: Please keep a copy of your certificate request and private key
    for future reference.
  2. Copy the certificate request from the CSR output, and then send it in electronic form (such as email) to a trusted third-party CA for signing.

    After processing your request, the CA sends you the signed digital certificate. You should keep a copy of the private key and the CA-signed digital certificate.