A digital certificate ensures that web communications are transmitted in encrypted form. It also ensures that information is sent privately and unaltered to only the specified server or from the authenticated client. Data ONTAP enables you to generate, install, and manage a self-signed or Certificate Authority (CA) signed digital certificate for server or client authentication.
The following facts apply to digital certificates (sometimes called public key certificates):
Which way to have a digital certificate signed depends on your security requirements and budget. You can obtain a self-signed digital certificate for free, but a digital certificate signed by a trusted CA can incur a considerable expense. A self-signed digital certificate is not as secure as a digital certificate signed by a CA. Therefore, it is not recommended in a production environment. A CA-signed digital certificate helps prevent man-in-the-middle attacks and provides better security protection than a self-signed digital certificate.
Private keys generated by Data ONTAP are 2048-bit by default. Data ONTAP also enables you to generate a 512-bit, 1024-bit, or 1536-bit private key. However, the higher the value, the more secure the key is.
You can manage digital certificates in the following ways:
To obtain a self-signed digital certificate, you simply create one on the cluster or a Vserver. Data ONTAP automatically creates a self-signed digital certificate for server authentication of a Vserver when you create that Vserver.
To obtain a CA-signed digital certificate, you generate a digital certificate signing request (CSR), which contains a private key and information that identifies you as the applicant. You then send the CSR to a CA electronically to apply for a digital certificate. After the CA sends you the signed digital certificate, you install it with the associated private key on the cluster or Vserver.
Before reverting to a release earlier than Data ONTAP 8.2, all digital certificates except for the server type (security certificate show –type server) must be deleted. Otherwise, the revert procedure fails.
You use the security certificate commands to manage digital certificates. For information about these commands, see the man pages.