如何通过命令行续订ONTAP自签名SSL证书
适用场景
- ONTAP 9
- 自签名证书
问题描述
- 本文介绍在ONTAP 9存储系统的命令行上续订SSL自签名证书的操作步骤。
- 如果所需证书过期、FPolicy、Anti-Virus、System Manager或其他与端口443 (HTTPS)的连接可能会失败。
在ONTAP 9.10.1及更高版本中,System Manager还可用于续订即将到期的证书。 请参见 如何在System Manager用户界面中续订ONTAP自签名证书。
操作步骤
注意: 如果担心HTTPS服务中断、请在维护时段执行此任务。
- 确定 已过期或即将过期的服务器证书:
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
- 示例
-
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1 affc190 16E3A53D8D90E881 affc190 server - affc190 Fri Apr 07 10:59:32 2023
svm1 svm1_A 16FD6CBB01F4F813 svm1_A server - svm1_A Fri Jun 30 14:35:51 2022
2 entries were displayed.
- 创建新的自签名证书:
::> security certificate create -common-name <name> -type server -size 2048 -email-addr <email> -expire-days 365 -protocol SSL -hash-function SHA256 -vserver <svm name>
- 示例
-
::> security certificate create -common-name svm1_B -type server -size 2048 -email-addr "admin@nowhere.com"
-expire-days 365 -protocol SSL -hash-function SHA256 -vserver svm1
The certificate's generated name for reference: svm1_B
- 确定新创建的证书:
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
- 示例
-
::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver common-name serial ca type subtype cert-name expiration
------- ----------- ---------------- -------- ------ ------- --------- ------------------------
clus1 affc190 16E3A53D8D90E881 affc190 server - affc190 Fri Apr 07 10:59:32 2023
svm1 svm1_A 16FD6CBB01F4F813 svm1_A server - svm1_A Fri Jun 30 14:35:51 2022
svm1 svm1_A 16FD31BFCD1F353C svm1_A server - svm1_A Fri Dec 16 14:35:51 2024
3 entries were displayed.
- 启用新证书以供SSL使用:
::> security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>
注意:一个SVM只能启用一个服务器证书。 此命令会将现有证书标记为false。
- 示例
-
::> security ssl modify -server-enabled true -vserver svm1 -ca svm1_B -serial 16FD31BFCD1F353C
Warning: The certificate svm1_B is a self-signed certificate, which offers no verification of identity
by client machines. This presents the risk of man-in-the-middle attacks by malicious third-parties.
Do you want to continue? {y|n}: y
- 验证是否已为SSL启用证书:
::> security ssl show -common-name <common name>
- 示例
-
::> security ssl show -common-name svm1_B
Serial Server Client
Vserver Number Common Name Enabled Enabled
--------- ---------------- ----------- ------- -------
svm1 16FD31BFCD1F353C svm1_B true false
Certificate Authority: svm1_B
- 删除过期证书:
::> security certificate delete -type server -vserver <svm name> -common-name <common name> -ca <auth> -serial <serial>
- 示例
-
::> security certificate delete -type server -vserver svm1 -common-name svm1_A -ca svm1_A -serial 16FD6CBB01F4F813
Warning: Deleting a server certificate will also delete the corresponding server-chain certificate, if one exists.
Do you want to continue? {y|n}: y