跳转到主内容

如何在AltaVault中显式信任私有CA证书

  1. 最后更新
  2. 另存为PDF
Views:
6
Visibility:
Public
Votes:
0
Category:
altavault
Specialty:
legacy
Last Updated:

适用场景

  • NetApp云备份(AltaVault)

问题描述

  • 云提供商的SSL证书的私有或公共CA必须在AltaVault上具有信任的现有公共证书。
  • 否则、系统日志将显示CA证书错误、并且复制将失败。
  • AltaVault通过SSL连接到云提供程序、为了信任云提供程序的证书、需要明确信任签名证书颁发机构(CA)。
  • 为此、AltaVault与大多数设备一样、使用ca-bBundle文件、这是一个串联的公共CA X.509证书列表。
  • 如果客户使用由企业证书颁发机构签名的证书来使用私有云存储、则需要明确信任该私有CA的公共证书、才能接受其有效。
  • 为此、可以将证书附加到AltaVault的ca-Bundle文件中。
  • 此外、公共CA的证书可能会过期并进行更新、此更新可能不会反映在当前捆绑的AltaVault CA证书包中。
  • 如果发生这种情况、则由该CA签名的所有证书都将无法验证。

无法根据可信证书验证CA证书时可能会出现的错误示例:

Peer certificate could not be authenticated with known CA certificates. You may proceed by disabling ssl certificate verification if you are sure about the authenticity of the server. Run "no replication ssl verify-certs" from the cli. An error has occurred while replicating data to the cloud. Altavault (config) # cloudctl exec "-a list" Failed to get bucket list: 60: Peer certificate cannot be authenticated with given CA certificates : Peer certificate cannot be authenticated with known CA certificate

 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.