Table of ContentsView in Frames

Installing a client CA or root CA certificate to authenticate an SSL client of the cluster or SVM

To enable the cluster or Storage Virtual Machine (SVM) to authenticate a client that wants to access it, you can install a digital certificate with the client-ca type on the cluster or SVM for the root certificate of the CA that signed the client's certificate signing request (CSR). You can also create a root CA certificate with the root-ca type on the cluster or SVM to self-sign the CSR for the client.

Before you begin

Enabling SSL client authentication requires that SSL server authentication be enabled (the default). The security ssl show command displays the configuration setting.

Steps

  1. If the cluster or SVM will be the CA that signs the client certificate, and a self-signed root CA certificate for the cluster or SVM does not yet exist, create one by using the security certificate create command with the -type root-ca parameter.
    Example
    The following command creates a root CA certificate for the "vs1" SVM whose custom common name is lab.companyname.com:
    cluster1::> security certificate create -vserver vs1 -common-name lab.companyname.com -type root-ca
  2. Enable SSL client authentication on the cluster or SVM by using the security ssl modify command with the -client-enabled parameter set to true.
  3. Generate a CSR for the client you want to authenticate by using the security certificate generate-csr command.
    Example
    The following command generates a CSR for a client whose custom common name is vs1admin:
    cluster1::> security certificate generate-csr -common-name vs1admin
    
    Certificate Signing Request :
    -----BEGIN CERTIFICATE REQUEST-----
    MIICojCCAYoCAQAwXTERMA8GA1UEAxMIdnMxYWRtaW4xCzAJBgNVBAYTAlVTMQkw
    BwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkq
    hkiG9w0BCQEWADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6ohdT5
    ...
    -----END CERTIFICATE REQUEST-----
    
    
    Private Key :
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAvqiF1PmYy1Vtmkf6I8+mRXOy/m+3m/O1sEjUILbopzTlTu92
    igqEzDY4W6q7KoRkcSa2x/Zn6IRlqxKrQbvUAJvAUDhcV7bn9NAzv9JE1j/6+0RY
    IVR6Hr6QnCRSsjlLDxBnV3uZu8WNghpbIL98QP4oxwFu7G0HQsOleO3HMazOFyvW
    ...
    -----END RSA PRIVATE KEY-----
    
    Note: Please keep a copy of your certificate request and private key for future reference.
    
    Data ONTAP displays the certificate request and private key and reminds you to copy them to a file for future reference.
  4. If you self-sign the CSR, complete the following steps:
    1. Display the root CA certificate you created in Step 1 by using the security certificate show command with the -instance and -type root-ca parameters.
      You will need the following information from the command output for signing the CSR:
      • Certificate authority (CA)
      • Serial number of the certificate
      Example
      cluster1::> security certificate show -instance -vserver vs1 -type root-ca
      
                                   Vserver: vs1
                FQDN or Custom Common Name: lab.companyname.com
              Serial Number of Certificate: 50F84392
                     Certificate Authority: lab.companyname.com
                       Type of Certificate: root-ca
       Size of Requested Certificate(bits): 2048
                    Certificate Start Date: Wed Jun 25 13:29:16 2014
               Certificate Expiration Date: Thu Jun 25 13:29:16 2015
                    Public Key Certificate: -----BEGIN CERTIFICATE-----
                                        MIID+zCCAuOgAwIBAgIEUPhDkjANBgkqhkiG9w0BAQsFADBbMQ8wDQYDVQQDEwZt
                                          .
                                          .
                                          .
      
    2. Sign the CSR with the root CA by using the security certificate sign command.
      The default format (-format) for the signed certificate is PEM. If you specify the format to be PKCS12, you can optionally specify the destination to upload the signed certificate by using the -destination parameter.
    3. When you are prompted, enter the CSR and then press ENTER.
      Example
      cluster1::> security certificate sign -vserver vs1 -ca lab.companyname.com -ca-serial 50F84392
      
      Please enter Certificate Signing Request (CSR): Press <enter> when done
      
      -----BEGIN CERTIFICATE REQUEST-----
      MIICrTCCAZUCAQAwaDEcMBoGA1UEAxMTQ1NSLlNpZ25pbmdUZXN0LmNvbTELMAkG
      A1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNV
      BAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
      ...
      -----END CERTIFICATE REQUEST-----
      
      
      Signed Certificate: :
      -----BEGIN CERTIFICATE-----
      MIIDmzCCAoOgAwIBAgIEU9e2rzANBgkqhkiG9w0BAQsFADBoMRwwGgYDVQQDExNO
      ZXcuQ29tcGFueU5hbWUuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYD
      VQQHEwAxCTAHBgNVBAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcN
      ...
      -----END CERTIFICATE-----
      
      
      The signed certificate is displayed. You should keep a copy of the certificate.
  5. If you have a third-party CA sign the CSR, complete the following steps:
    1. Send the certificate request from the CSR output (Step 3) in an electronic form (such as email) to a trusted CA for signing.
      After processing your request, the CA sends you the signed digital certificate. You should keep a copy of the private key and the CA-signed certificate for future reference.
    2. On the cluster or SVM, install the root certificate and each intermediate certificate of the CA that signed the certificate by using the security certificate install command with the -type client-ca parameter.
      Example
      cluster1::> security certificate install -vserver vs1 -type client-ca
      
      
      Please enter Certificate: Press <Enter> when done
      -----BEGIN CERTIFICATE-----
      MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhkiG9w0BAQUFADCB
      zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
      Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
      ...
      -----END CERTIFICATE-----
      
      You should keep a copy of the CA-signed digital certificate for future reference.
      
      
  6. Provide the self-signed or CA-signed certificate for the user to install on the client.
  7. Repeat Step 3 to Step 6 for each client you want to authenticate.
  8. If users are not set up to be authenticated by digital certificates, add users individually by using the security login create command with the –authmethod parameter set to cert.
    For cluster user accounts, digital certificate authentication is supported only with the http and ontapi access methods (–application). For SVM user accounts, digital certificate authentication is supported only with the ontapi access method.

    The security login show command displays user login methods.