跳转到主内容

如何通过命令行续订ONTAP自签名SSL证书

Views:
748
Visibility:
Public
Votes:
8
Category:
ontap-9
Specialty:
core
Last Updated:

适用场景

  • ONTAP 9
  • 自签名证书

问题描述

  • 本文介绍在ONTAP 9存储系统的命令行上续订SSL自签名证书的操作步骤。
  • 如果所需证书过期、FPolicy、Anti-Virus、System Manager或其他与端口443 (HTTPS)的连接可能会失败。

在ONTAP 9.10.1及更高版本中,System Manager还可用于续订即将到期的证书。  请参见 如何在System Manager用户界面中续订ONTAP自签名证书

操作步骤

注意: 如果担心HTTPS服务中断、请在维护时段执行此任务。

  1. 确定 已过期或即将过期的服务器证书: 

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server

示例

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server 
vserver common-name serial       ca     type   subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1   affc190    16E3A53D8D90E881 affc190  server -     affc190   Fri Apr 07 10:59:32 2023
svm1   svm1_A    16FD6CBB01F4F813 svm1_A   server -     svm1_A   Fri Jun 30 14:35:51 2022
2 entries were displayed.

  1. 创建新的自签名证书:

::> security certificate create -common-name <name> -type server -size 2048 -email-addr <email> -expire-days 365 -protocol SSL -hash-function SHA256 -vserver <svm name>

示例

::> security certificate create -common-name svm1_B -type server -size 2048 -email-addr "admin@nowhere.com"  
-expire-days 365 -protocol SSL -hash-function SHA256 -vserver svm1
  
The certificate's generated name for reference: svm1_B

  1. 确定新创建的证书:

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server

示例

::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server 
vserver common-name serial       ca     type   subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1   affc190    16E3A53D8D90E881 affc190  server -     affc190   Fri Apr 07 10:59:32 2023
svm1   svm1_A    16FD6CBB01F4F813 svm1_A   server -     svm1_A   Fri Jun 30 14:35:51 2022
svm1   svm1_A    16FD31BFCD1F353C svm1_A   server -     svm1_A   Fri Dec 16 14:35:51 2024
3 entries were displayed.

  1. 启用新证书以供SSL使用:

::> security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>

注意:一个SVM只能启用一个服务器证书。  此命令会将现有证书标记为false。

示例

::> security ssl modify -server-enabled true -vserver svm1 -ca svm1_B -serial 16FD31BFCD1F353C
   
Warning: The certificate svm1_B is a self-signed certificate, which offers no verification of identity    
by client machines.  This presents the risk of man-in-the-middle attacks by malicious third-parties.
Do you want to continue? {y|n}: y

  1. 验证是否已为SSL启用证书:

::> security ssl show -common-name <common name>

示例

::> security ssl show -common-name svm1_B
      Serial             Server  Client
Vserver   Number       Common Name Enabled Enabled    
--------- ----------------  ----------- ------- -------
svm1    16FD31BFCD1F353C  svm1_B    true   false
 Certificate Authority: svm1_B

  1. 删除过期证书:

::> security certificate delete -type server -vserver <svm name> -common-name <common name> -ca <auth> -serial <serial>

示例

::> security certificate delete -type server -vserver svm1 -common-name svm1_A -ca svm1_A -serial 16FD6CBB01F4F813  
  
Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
Do you want to continue? {y|n}: y

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.