跳转到主内容

ONTAP 中的证书信任库是什么?

Views:
194
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:

适用场景

  • ONTAP 9
  • AutoSupport

问题解答

什么是证书信任存储库?

从ONTAP 9.2开始、在ONTAP的证书管理中引入了一组受信任的根CA证书、以便管理SVM可以允许在ONTAP中运行的应用程序与外部实体无缝建立TLS连接。每个证书都有一个关联的到期日期。 

何时安装信任存储库证书?

只有在ONTAP安装9.2或升级到ONTAP 9.2期间、才会在管理SVM上安装信任存储库证书。  新版本的ONTAP中也会更新信任存储库证书包。

如何查看已安装的信任存储库证书?

您可以使用 security certificates show 命令查看管理SVM上安装的信任存储库证书:security certificate show -vserver * -type server-ca

注意:security certificate show -vserver * -type server-ca 将同时显示用户安装的证书以及信任存储库证书。从ONTAP 9.4及更高版本开始、 security certificate show-truststore 可使用c仅查看默认信任存储库证书。

ONTAP 9 文档中心

如果信任存储库证书过期、会发生什么情况?

如果信任存储库证书过期、您可以选择将其删除或保持安装状态。每个ONTAP版本都会根据需要自动更新信任存储库证书。   错误 1245418也对此进行了说明。

ONTAP事件管理系统(EMS)将报告以下信息:

...在到期前30天开始:

示例:
Tue Jul 09 00:00:01 CEST [node1: mgwd: mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver ADMIN-SVM will expire in the next 10 day(s).

目前、有三个已知证书已于2019年7月到期。这些信任存储库证书已通过NetApp审核、可以安全地删除。 

Name of Vserver Netapp1
FQDN or Custom Common Name Class2PrimaryCA
Serial Number of Certificate 85BD4BF3D8DAE369F694D75FC3A54423
Certificate Authority Class 2 Primary CA
Type of Certificate server-ca
Certificate Expiration Date Sat Jul 06 18:59:59 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name DeutscheTelekomRootCA2
Serial Number of Certificate 26
Certificate Authority Deutsche Telekom Root CA 2
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 18:59:00 2019
Protocol SSL
Hashing Function SHA1
 
Name of Vserver Netapp1
FQDN or Custom Common Name UTN-USERFirst-Hardware
Serial Number of Certificate 44BE0C8B500024B411D3362AFE650AFD
Certificate Authority UTN-USERFirst-Hardware
Type of Certificate server-ca
Certificate Expiration Date Tue Jul 09 13:19:22 2019
Protocol SSL
Hashing Function SHA1

根据错误临时解决策、使用命令 security certificate delete
示例删除此证书:

::> set advanced
::*> security certificate delete -vserver -common-name Class2PrimaryCA -type server-ca -ca "Class 2 Primary CA" -serial 5BD4BF3D8DAE369F694D75FC3A54423

注意:<TAB> 将自动完成 -serial 、并且 -ca 名称应使用双引号括起来

如果删除信任存储库证书、会发生什么情况?

在大多数情况下、过期的证书可能未使用。删除信任存储库证书可能会导致某些ONTAP应用程序无法按预期运行(例如:AutoSupport或System Manager)。

是否可以使用新的到期日期创建信任存储库证书?

不可以、 新证书必须由证书颁发机构从技术上重新颁发、然后重新安装。但是、如上所述、信任存储库证书会在每个ONTAP版本中根据需要自动更新。

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.