A digital certificate ensures that web communications are transmitted in encrypted form. It also ensures that information is sent privately and unaltered to only the specified server or from the authenticated client. Data ONTAP enables you to generate, install, and manage a self-signed or Certificate Authority (CA) signed digital certificate for server or client authentication.
The following facts apply to digital certificates (sometimes called public key certificates):
Which way to have a digital certificate signed depends on your security requirements and budget. You can obtain a self-signed digital certificate for free, but a digital certificate signed by a trusted CA can incur a considerable expense. A self-signed digital certificate is not as secure as a digital certificate signed by a CA. Therefore, it is not recommended in a production environment. A CA-signed digital certificate helps prevent man-in-the-middle attacks and provides better security protection than a self-signed digital certificate.
Private keys generated by Data ONTAP are 2048-bit by default. Data ONTAP also enables you to generate a 512-bit, 1024-bit, or 1536-bit private key. However, the higher the value, the more secure the key is.
When the cluster or Storage Virtual Machine (SVM) functions as an SSL server, you can manage digital certificates in the following ways:
To obtain a self-signed digital certificate, you simply create one on the cluster or SVM. Data ONTAP automatically creates a self-signed digital certificate for server authentication of an SVM when you create that SVM.
To obtain a CA-signed digital certificate, you generate a digital certificate signing request (CSR), which contains a private key and information that identifies you as the applicant. You then send the CSR to a CA electronically to apply for a digital certificate. After the CA sends you the signed digital certificate, you install it with the associated private key on the cluster or SVM.
For mutual authentication, you create a self-signed root CA certificate for the server (the root-ca certificate type), generate a CSR for the client that can be self signed by the server using its root CA or signed by a third-party CA, and install the client certificate on the client.
If the CSR for the client is signed by a third-party CA, you also need to install the root certificate and each intermediate certificate of the CA that signed the certificate (the client-ca certificate type).
When the cluster or SVM functions as a client to an SSL server (which, for example, can be an Active Directory domain controller that supports LDAP over SSL), you can manage digital certificates in the following ways:
The root certificate is provided by the server and used for server authentication.
Before reverting to a release earlier than Data ONTAP 8.2, all digital certificates except for the server type (security certificate show –type server) must be deleted. Otherwise, the revert procedure fails.
You use the security certificate commands to manage digital certificates. For information about these commands, see the man pages.