How to fix Netapp expired self-signed certificate by creating a new one
Symptom: You are using ONTAP 9x (your Netapp is fairly new, within the last 4-5 years. These instructions probably don’t apply to old Netapp devices)
Symptom: When you look at the diagnostic logs on your Netapp, you get a warning that the certificates are expiring or expired:
Event:
mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) ExampleNetappServer1, Serial Number 569848B0A5092, Certificate Authority ‘ExampleNetappServer1’ and type server for Vserver ExampleNetappServer1 will expire in the next 29 day(s).
Message Name:
mgmtgwd.certificate.expiring
Description:
This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.
Action:
Install a new digital certificate on the system using the ‘security certificate create’ or ‘security certificate install’ command.
Symptom: When you try to reach the website for your Netapp OnTAP, it won’t connect at all.
See the image above for what this looks like.
Symptom: You tried to create new certificates using security certificate create and now the website is broken.
Whoops. Never fear, keep reading, this article will help you.
DIFFERENT ISSUE — Third Party CAs are expiring
Just recently (June-July 2019), ONTAP users are getting errors that several certificates of type “server-ca” are expiring. These are NOT the certificates you use for your Netapp website and the fix steps in this article do not apply to them.
CA certificate names expiring on July 09, 2019:
- DeutscheTelekomRootCA2
- UTN-USERFirst-Hardware
- Class2PrimaryCA
See my other article about how to fix expiring third party certificates ( type = server-ca ) if this describes your situation.
Solution
How can I connect if the Netapp website is down?
Use a terminal emulator such as Putty. Connect using SSH port 22, to the IP of your Netapp Cluster.
When prompted, type your administrator username and password. admin is the default username and netapp!123 is the default password.
Disclaimer: I’m just someone who admins Netapp SAN for my job. You should review the official Netapp articles on this topic and use common sense before making changes. If you aren’t sure about anything, put in a case with Netapp to get help.
Reference: Netapp KB article that describes how to renew the certificate with ssl modify.
First, capture your current status.
Here are the commands you will run to see the current status of your certificates:
security certificate show
ssl show
Feel free to run these whenever needed, to see your status.
Run both commands now and screenshot or copy the results so you can reference them later.
Here is an example of a Netapp that has expired certificates for the cluster and the SVM:
Here is an example of a Netapp that has broken website ssl certificate:
.
Did you already delete your certificates and don’t know the names of your cluster and SVM?
Assuming you are connecting to your cluster, you should see the cluster name at the beginning of your command prompt.
If you press TAB while writing a command, Netapp will provide you possible answers. This can help you retrieve your Vserver list.
Type security certificate show -vserver [TAB]
Your command prompt will show you the possible answers. One should be your cluster, one should be your SVM(s).
Perform these steps to get rid of expired certificates, install new, and enable.
1. Delete old certificates:
Identify your variables:
-vserver = vserver name from the “security certificate show” command, such as ExampleNetappCluster1
-common-name = common name from the “security certificate show” command, such as ExampleNetappCluster1
-serial = serial number from the “security certificate show” command, such as 448293BA028
-type = type from the “security certificate show” command. Self-generated certificates are type server.
Run command for your cluster certificate: security certificate delete -vserver ExampleNetappCluster1 -serial ########## -type server -common-name ExampleNetappCluster1
When prompted, type Y to delete.
Run the command again for each SVM certificate: security certificate delete -vserver ExampleNetappSVM1 -serial ########## -type server -common-name ExampleNetappSVM1
When prompted, type Y to delete.
2. Create new self-signed certificates:
Run command for your new cluster certificate: security certificate create -vserver ExampleNetappCluster1 -common-name ExampleNetappCluster1 -type server -expire-days 999
You can change the expire-days per your security policy. The default is 365.
Run command for each new SVM certificate: security certificate create -vserver ExampleNetappSVM1 -common-name ExampleNetappSVM1 -type server -expire-days 999
3. Enable SSL with the new certificates:
Run command for your new cluster certificate: ssl modify -vserver ExampleNetappCluster1 -server-enabled true
Run command for each new SVM certificate: ssl modify -vserver ExampleNetappSVM1 -server-enabled true
4. At this point, your website should be back up!
Please leave comments if this worked for you, or tips if it didn’t.
If you need further reference, I found these Netapp articles helpful.
Reference: Netapp KB article that describes how to renew the certificate with ssl modify.
Selfish plug time (sorry!)
Thanks for reading this article! I hope it helps you! If you have tips or feedback, please comment or send me an email so that others can benefit.
I am a consultant in the Maryland/DC area in the USA. My specialties are Windows migrations (to 2016 and to Office 365 / Azure), VMware migrations, Netapp and SAN, and high availability / disaster recovery planning. If you would like help with your complex project, or would like a architectural review to improve your availability, please reach out! More information and contact can be found on the About page. – Amira Armond