Table of ContentsView in Frames

Installing a server certificate to authenticate the cluster or SVM as an SSL server

To enable the cluster or Storage Virtual Machine (SVM) to be authenticated as an SSL server, you install a digital certificate with the server type on the cluster or SVM. The certificate you install can be self signed or CA signed.

About this task

When the cluster or SVM is created, a self-signed server certificate is created automatically and uses the cluster or SVM name as the common name. The corresponding SSL server authentication is enabled and also uses the default common name for the cluster or SVM.

If you want the cluster or SVM to use a different common name or a CA-signed certificate for server authentication, you can create or install additional server certificates. You can also modify SSL configuration to use a server certificate that you specify.

Steps

  1. To create a self-signed digital certificate for server authentication, use the security certificate create command with the -type server parameter.
  2. To use a third-party CA-signed digital certificate for server authentication, complete the following steps:
    1. Generate a digital certificate signing request (CSR) by using the security certificate generate-csr command.
      The system displays the CSR output. The output includes a certificate request and a private key. You should keep a copy of the private key.
    2. Copy the certificate request from the CSR output and send it in an electronic form (such as email) to a trusted third-party CA for signing.
      After processing your request, the CA sends you the signed digital certificate. You should keep a copy of the private key and the CA-signed digital certificate.
    3. Install the third-party CA-signed digital certificate by using the security certificate install command with the -type server parameter.
    4. Enter the certificate and the private key when you are prompted, and then press Enter.
    5. When Data ONTAP asks you whether you want to install the CA root and intermediate certificates that form the certificate chain of the server certificate, enter Y.
    6. Enter any additional root or intermediate certificates when you are prompted, and then press Enter
      You install the certificates of the CA to form a certificate chain of the server certificate. The chain starts with the certificate of the CA that issued the server certificate, and it can range up to the root certificate of the CA. Any missing intermediate certificates will result in the failure of server certificate installation.

      After the CA certificates are entered, the certificates chain is installed as server-chain along with the server certificate type.

  3. To use a self CA-signed digital certificate for server authentication (with the cluster or SVM being the signing CA), complete the following steps:
    1. Generate a CSR by using the security certificate generate-csr command.
      The system displays the CSR output. The output includes a certificate request and a private key. You should keep a copy of the private key.
    2. Create a self-signed root CA certificate for the cluster or SVM by using the security certificate create command with the -type root-ca parameter.
    3. Display the root CA certificate by using the security certificate show command with the -instance and -type root-ca parameters.
      You will need the following information from the command output for signing the CSR:
      • Certificate authority (CA)
      • Serial number of the certificate
    4. Sign the CSR with the root CA by using the security certificate sign command.
    5. When you are prompted, enter the CSR and then press ENTER.
    6. Install the self CA-signed digital certificate by using the security certificate install command with the -type server parameter.
    7. Enter the certificate and the private key when you are prompted, and then press Enter.
    8. When Data ONTAP asks you whether you want to install the CA root and intermediate certificates that form the certificate chain of the server certificate, enter N.
  4. If you want to modify the SSL configuration to specify the certificate for server authentication, use the security ssl modify command with the -ca and the -serial parameters.

Examples of installing a server certificate to authenticate the cluster or SVM as an SSL server

The following example creates a self-signed server certificate for the "vs1" SVM at a company whose custom common name is lab.companyname.com. The certificate is for authenticating the "vs1" SVM as an SSL server:

cluster1::> security certificate create -vserver vs1 -common-name lab.companyname.com -type server

The following command creates a CSR with a 2048-bit private key for use by the Software group in the IT department of a company whose custom common name is server1.companyname.com, located in Sunnyvale, California, USA. The email address of the contact administrator who manages the SVM is web@companyname.com. The system displays the CSR and the private key in the output:

cluster1::> security certificate generate-csr -common-name server1.companyname.com 
-size 2048 -country US -state CA -locality Sunnyvale 
-organization IT -unit Software -email-addr web@companyname.com

Certificate Signing Request: 
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQMwaTEQMA4GA1UEAxMHcnRwLmNvbTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAk5DMQwwCgYDVQQHEwNSVFAxDTALBgNVBAoTBGNvcmUxDTALBgNVBAsT
BGNvcmUxDzANBgkqhkiG9w0BCQEWADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
...
-----END CERTIFICATE REQUEST-----


Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----
 
Note: Please keep a copy of your private key and certificate request for future reference. 

The following command installs a CA-signed server certificate for the "vs1" SVM. The certificate is for authenticating the "vs1" SVM as an SSL server:

cluster1::> security certificate install -vserver vs1 -type server

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIB8TCCAZugAwIBAwIBADANBgkqhkiG9w0BAQQFADBfMRMwEQYDVQQDEwpuZXRh
cHAuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNV
BAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcNMTAwNDI2MTk0OTI4
...
-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----


Please enter certificates of Certification Authorities (CA) which form the 
certificate chain of the server certificate. This starts with the issuing 
CA certificate of the server certificate and can range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: y

Please enter Intermediate Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
...
-----END CERTIFICATE-----


Do you want to continue entering root and/or intermediate certificates {y|n}: n

Note: You should keep a copy of your certificate and private key for future reference. 
If you revert to an earlier release, the certificate and private key are deleted.