Table of ContentsView in Frames

Installing a client certificate to authenticate the cluster or SVM as an SSL client

To enable an SSL server to authenticate the cluster or Storage Virtual Machine (SVM) as an SSL client, you install a digital certificate with the client type on the cluster or SVM. Then you provide the client-ca certificate to the SSL server administrator for installation on the server.

Before you begin

You must have already installed the root certificate of the SSL server on the cluster or SVM with the server-ca certificate type.

Steps

  1. To use a self-signed digital certificate for client authentication, use the security certificate create command with the -type client parameter.
  2. To use a CA-signed digital certificate for client authentication, complete the following steps:
    1. Generate a digital certificate signing request (CSR) by using the security certificate generate-csr command.
      Data ONTAP displays the CSR output, which includes a certificate request and private key, and reminds you to copy the output to a file for future reference.
    2. Send the certificate request from the CSR output in an electronic form (such as email) to a trusted CA for signing.
      After processing your request, the CA sends you the signed digital certificate. You should keep a copy of the private key and the CA-signed certificate for future reference.
    3. Install the CA-signed certificate by using the security certificate install command with the -type client parameter.
    4. Enter the certificate and the private key when you are prompted, and then press Enter.
    5. Enter any additional root or intermediate certificates when you are prompted, and then press Enter
      You install an intermediate certificate on the cluster or SVM if a certificate chain that begins at the trusted root CA, and ends with the SSL certificate issued to you, is missing the intermediate certificates. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, goes through the intermediate, and ends with the SSL certificate issued to you.
  3. Provide the client-ca certificate of the cluster or SVM to the administrator of the SSL server for installation on the server.

    The security certificate show command with the -instance and -type client-ca parameters displays the client-ca certificate information.

Examples of installing a client certificate to authenticate the cluster or SVM as an SSL client

The following example creates a self-signed client certificate for the "vs1" SVM at a company whose custom common name is lab.companyname.com. The certificate is for authenticating the "vs1" SVM as an SSL client:

cluster1::> security certificate create -vserver vs1 -common-name lab.companyname.com -type client

The following command creates a CSR with a 2048-bit private key for use by the Software group in the IT department of a company whose custom common name is lab.companyname.com, located in Sunnyvale, California, USA. The email address of the contact administrator who manages the SVM is web@companyname.com. The system displays the CSR and the private key on the console:

cluster1::> security certificate generate-csr -common-name lab.companyname.com 
-size 2048 -country US -state CA -locality Sunnyvale -organization IT 
-unit Software -email-addr web@companyname.com

Certificate Signing Request: 
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQMwaTEQMA4GA1UEAxMHcnRwLmNvbTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAk5DMQwwCgYDVQQHEwNSVFAxDTALBgNVBAoTBGNvcmUxDTALBgNVBAsT
BGNvcmUxDzANBgkqhkiG9w0BCQEWADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
...
-----END CERTIFICATE REQUEST-----


Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----
 
Note: Please keep a copy of your private key and certificate request for future reference. 

The following command installs a CA-signed client certificate for the "vs1" SVM. The certificate is for authenticating the "vs1" SVM as an SSL client:

cluster1::> security certificate install -vserver vs1 -type client
 
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIB8TCCAZugAwIBAwIBADANBgkqhkiG9w0BAQQFADBfMRMwEQYDVQQDEwpuZXRh
cHAuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNV
BAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcNMTAwNDI2MTk0OTI4
...
-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----


Please enter certificates of Certification Authorities (CA) which form the 
certificate chain of the client certificate. This starts with the issuing 
CA certificate of the client certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: y

Please enter Intermediate Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
...
-----END CERTIFICATE-----


Do you want to continue entering root and/or intermediate certificates {y|n}: n

Note: You should keep a copy of your certificate and private key for future reference. 
If you revert to an earlier release, the certificate and private key are deleted.