跳转到主内容

NetApp_Insight_2020.png 

如何在 ONTAP 9 中续订 SSL 证书

Views:
44
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

 

适用于

  • ONTAP 9
  • 管理员证书
  • SVM/Vserver 证书

说明

本文介绍了在 ONTAP 9 存储系统中续订 SSL 证书的过程。默认证书将在 365 天后过期。此过程与任何 SVM/虚拟 服务器使用的其他 SSL 证书相同。

Procedure

在删除已过期的证书之前禁用 SSL (否则,系统将创建两个新证书)。
 
  1. 检查当前证书状态。进入权限模式:

ClusterA-01::> set -privilege advanced

  1. 检查当前配置的证书

ClusterA-01::*> security certificate show

 clusterA-01::> security certificate show Vserver Serial Number Common Name Type ---------- --------------- -------------------------------------- ------------ ClusterA-01 054960C410898A ClusterA-01 server Certificate Authority: ClusterA-01 Expiration Date: Sun Feb 25 20:33:58 2018 svm1 054960C65A30AF svm1 server Certificate Authority: svm1 Expiration Date: Sun Feb 25 20:34:37 2018 
 2 entries were displayed. 

 

  1. 检查 SSL 当前使用的证书
 ClusterA-01::> security ssl show Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------------------------------- ------- ------- ClusterA-01 054960C410898A ClusterA-01 true false Certificate Authority: ClusterA-01 svm1 054960C65A30AF svm1 true false Certificate Authority: svm1 2 entries were displayed. 

 

  1. 要续订证书、请删除现有证书并创建一个过期日期更长的新证书。在删除证书之前,请检查现有证书的详细信息、这有助于在创建新证书时输入必要的参数。
  2. 假设要续订Common_name.cert集群使用的证书、运行:
     
 ClusterA-01::*> security certificate show -instance -vserver ClusterA-01 -common-name Common_name.cert Vserver: ClusterA-01 FQDN or Custom Common Name: Common_name.cert Size of Requested Certificate(bits): 2048 Certificate Start Date: Tue Aug 27 08:37:29 2012 Certificate Expiration Date: Wed Aug 27 08:37:29 2013 Public Key Certificate: -----BEGIN CERTIFICATE----- MIIDcjCCAlqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA4Mjcw ODM3MjlaFw0xNDA4MjcwODM3MjlaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA3PEMyBt4AwKPekmsCmkhGJ9Z53BEZHlwK4ZmLrh2HFVAQIge I3dpBgMKKJFHuT3xihDzK3SOBDe6ntNUu4AKyaElIR7oluFIPjL5x6Dv0u6DIJZB FCjOT8BaSXoyfiDbhkYWtpaTD7WNLXCri/FOCZlCqM/IDUC26I5zyXGsS/tlR7cD xehm1dgyhO+W4RBT9pe0PiK6tOAWHBgtUlmsT8Lw6snmc04XkDG9t4ngaPTjh8CI m59DzRDeiavCDIzpph66PxvJMW4AQ8DbX+MitIotnXCS/N9cDMZBESw0okvsKtaD 6QHa6e9hzY2iF8u0D6Sz9aeFPaeB6UWSXMPEFwIDAQABoy8wLTAMBgNVHRMBAf8E AjAAMB0GA1UdDgQWBBQLzWaEqrJPDdABSfUpqYXr/RG3MTANBgkqhkiG9w0BAQsF AAOCAQEABsbfubJz9rmvJ6CFk5oxx+xNuM03yWu2MOlBe7rJJZh5K9SsXFChrRsD cKriJxXbWZ7VrImwqsvvBb/7f/zD7VW13/ZHVdIevoPsWwdx9oFQbiUQ2JlvNkoq j+o/cff7G142GqlP9DNxACUtLKB5+t+LCRGSqHGaQusAMsYQTMri3ktricxnaNKC xIdnFoGb1HgvqpVPkBabQst8HDv0lJ3DIDUwMIjOFDhpO47nyUaGbO+COgXT4f1g eeM4HbkoMPSK88uK0mvQcJ83R1953tkiFvpqnwbbmIfpWJ3YQ9ENAin4BnJk2Sum hiUKSYG+1E2p1gLF3yblxUf3/zKRaw== -----END CERTIFICATE----- Country Name (2 letter code): US State or Province Name (full name): Locality Name (e.g. city): Organization Name (e.g. company): Organization Unit (e.g. section): Email Address (Contact Name): Certificate Authority: Self-Signed Protocol: SSL Type of Service: server Hashing Function: SHA256 
  1. 删除过期的证书。

ClusterA-01::> security certificate delete -common-name Common_name.cert -ca Common_name.cert -type server -vserver ClusterA-01 -serial 5514941E

Warning: Deleting a server certificate will also delete the corresponding
server-chain certificate, if one exists.
Do you want to continue? {y|n}:

重要信息:删除证书后, SSL 服务将被禁用。

ClusterA-01::*> ssl show

(security ssl show)
Vserver        Enabled SSL Certificate Name
-------------- ------- -------------------------
cifs           true    cifs.cert
cifs_vs        true    13.cert.1377240681

ClusterA-01     false   -
svm01       true    svm1.cert
svm2        true    svm2.cert
 

  1. 创建一个过期期限更长的新证书

ClusterA-01::> security certificate create -vserver ClusterA-01 -common-name Common_name.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

  1. 检查新创建的证书
    ClusterA-01::*> security certificate show -instance -vserver ClusterA-01 -common-name Common_name.cert                                                                                                                                        Vserver: ClusterA-01

          FQDN or Custom Common Name: Common_name.cert
 Size of Requested Certificate(bits): 2048
              Certificate Start Date: Mon Sep 02 21:10:05 2013
         Certificate Expiration Date: Thu Aug 31 21:10:05 2023
              Public Key Certificate: -----BEGIN CERTIFICATE-----
                                      MIIDcjCCAlqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBkMRgwFgYDVQQDEw9jbTIy
                                      NDRhLWNuLmNlcnQxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJ
                                      MAcGA1UEChMAMQkwBwYDVQQLEwAxDzANBgkqhkiG9w0BCQEWADAeFw0xMzA5MDIy
                                     MTEwMDVaFw0yMzA4MzEyMTEwMDVaMGQxGDAWBgNVBAMTD2NtMjI0NGEtY24uY2Vy
                                      dDELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAx
                                      CTAHBgNVBAsTADEPMA0GCSqGSIb3DQEJARYAMIIBIjANBgkqhkiG9w0BAQEFAAOC
                                      AQ8AMIIBCgKCAQEAsOYe1W/1nE/H1q7QeZWrqlghBLrUy49i0eYVu7h/5RspH3iZ
                                      nxEOG7aKu0B1RYjc8VlFcDa9OhlzBD7cePjsAyrGUZPyJNsRXJkigBTcGsWNdetw
                                     UeU3ZHKQJ7Gl/n02ku/tjT+GW7hXs0McsvQ3snWfVnDS6XvCJtE5IWkY3Vm2vYia
                                      l0YSYNGQ3UDlUV1zor9bUK5ZLpitHdP26nZWmGiI7nK/vN3SkH+D69i+LeBGGyK/
                                      XmfA2/c2IKVUpaqDlhtOUrZmravr4/M8vy+Ah5pHD0qcdVq4FBJ5GsdIPWU8QalA
                                      JZT1MFWUklqLlpXM0yeLI2DR+8FtEC9hkeiURQIDAQABoy8wLTAMBgNVHRMBAf8E
                                      AjAAMB0GA1UdDgQWBBRELU34ycRP2gtYLTnISM+QOjILUzANBgkqhkiG9w0BAQsF
                                      AAOCAQEAVqDFm7Nje2YbSiq+x26/aj9qPnGrByF+yLdn0SF1VevJvahEM46yCFsF
                                      Wk62KxGCWEoRBwsAxZMlp7SnEiU8o+nhhB9nLBhQgE0cHavCezy2t/rugqjWC/b5
                                      eBKFjbH6pXP+Sjo3jEQktgRWd9fBVH/d+YsapU73K/IypgZuKrnSqobSk/SM7dPc
                                      J/qEDYI3GgUDfcML4arGYnRoDl87mD6UpEm9CR/ldOe/Qie1yLtKkHJIR9oc0+XD
                                      zrU7eM9riy44FsQM9oXcHgZ08G2E83r/6DyNyqGa5uSWzbCnKfxyHVrN3iVhLw7n
                                      CWPAB8Q25182e4eMLg8CrntOjyS0sQ==
                                      -----END CERTIFICATE-----
        Country Name (2 letter code): US
 State or Province Name (full name):
           Locality Name (e.g. city):
    Organization Name (e.g. company):
    Organization Unit (e.g. section):
        Email Address (Contact Name):
               Certificate Authority: Self-Signed
                            Protocol: SSL
                     Type of Service: server
                    Hashing Function: SHA256
  1. 即使在创建证书之后、 SSL 服务也将被禁用、并且您将无法使用 HTTPS 访问任何服务。
 ClusterA-01::> ssl show (security ssl show) Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------- ------------- ---------- --------- SCVserver 5527B24F SCVserver.cert false false Certificate Authority: SCVserver.cert SRA 552BA58D SRA.cert true false Certificate Authority: SRA.cert ClusterA-01 55348AB0 ClusterA-01 true false Certificate Authority: ClusterA-01 ClusterA-01 54F7D5D8 ClusterA-01.cert true false Certificate Authority: cm6240c-rtp2-cluster.cert ClusterA-01-01 54F7D5D7 ClusterA-01-01.cert true false Certificate Authority: cm6240c-rtp2-cluster-01.cert ClusterA-01-02 54F7D870 ClusterA-01-02.cert true false Certificate Authority: cm6240c-rtp2-cluster-02.cert 
  1. 创建新证书后启用 SSL

    ClusterA-01::> ssl modify -vserver ClusterA-01 -server-enabled true
    (security ssl modify)

    注意:如果您在名称不同于虚拟服务器名称的手动创建证书上启用 SSL ,则该命令必须特定于证书。

    security ssl modify -vserver <vserver_name> -server-enabled true -ca <certificate_authority> -client-enabled false -serial <serial_number> -common-name <common_name>

    例如:
    ClusterA-01::*> security ssl modify -vserver test_cert -server-enabled true -ca test_cert -client-enabled false -serial 535371EBE64C3 -common-name test_cert

    Warning: The certificate Common_name.cert is a self-signed certificate, which offers no verification of identity by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
    Do you want to continue? {y|n}: y
  1. 验证是否启用了 SSL 服务
 ClusterA-01::> ssl show (security ssl show) Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------- -------- --------- SCVserver 5527B24F SCVserver.cert true false Certificate Authority: SCVserver.cert SRA 552BA58D SRA.cert true false Certificate Authority: SRA.cert ClusterA-01 55348AB0 ClusterA-01 true false Certificate Authority: ClusterA-01 ClusterA-01 54F7D5D8 ClusterA-01.cert true false Certificate Authority: cm6240c-rtp2-cluster.cert ClusterA-01-01 54F7D5D7 ClusterA-01-01.cert true false Certificate Authority: cm6240c-rtp2-cluster-01.cert ClusterA-01-02 54F7D870 ClusterA-01-02.cert true false Certificate Authority: cm6240c-rtp2-cluster-02.cert