Install a CA-signed server certificate for the cluster
To enable an SSL server to authenticate the cluster or storage virtual machine (SVM) as an SSL client, you install a digital certificate with the client type on the cluster or SVM. Then you provide the client-ca certificate to the SSL server administrator for installation on the server.
You must have already installed the root certificate of the SSL server on the cluster or SVM with the server-ca
certificate type.
-
To use a self-signed digital certificate for client authentication, use the
security certificate create
command with thetype client
parameter. -
To use a CA-signed digital certificate for client authentication, complete the following steps:
-
Generate a digital certificate signing request (CSR) by using the security certificate
generate-csr
command.ONTAP displays the CSR output, which includes a certificate request and private key, and reminds you to copy the output to a file for future reference.
-
Send the certificate request from the CSR output in an electronic form (such as email) to a trusted CA for signing.
You should keep a copy of the private key and the CA-signed certificate for future reference.
After processing your request, the CA sends you the signed digital certificate.
-
Install the CA-signed certificate by using the
security certificate install
command with the-type client
parameter. -
Enter the certificate and the private key when you are prompted, and then press Enter.
-
Enter any additional root or intermediate certificates when you are prompted, and then press Enter.
You install an intermediate certificate on the cluster or SVM if a certificate chain that begins at the trusted root CA, and ends with the SSL certificate issued to you, is missing the intermediate certificates. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, goes through the intermediate certificate, and ends with the SSL certificate issued to you.
-
-
Provide the
client-ca
certificate of the cluster or SVM to the administrator of the SSL server for installation on the server.The security certificate show command with the
-instance
and-type client-ca
parameters displays theclient-ca
certificate information.