How to fix Netapp expired self-signed certificate by creating a new one

netapp certificate expired install site cant be reached

Symptom: You are using ONTAP 9x (your Netapp is fairly new, within the last 4-5 years.  These instructions probably don’t apply to old Netapp devices)

Symptom: When you look at the diagnostic logs on your Netapp, you get a warning that the certificates are expiring or expired:

mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) ExampleNetappServer1, Serial Number 569848B0A5092, Certificate Authority ‘ExampleNetappServer1’ and type server for Vserver ExampleNetappServer1 will expire in the next 29 day(s).

Message Name:

This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.

Install a new digital certificate on the system using the ‘security certificate create’ or ‘security certificate install’ command.

Symptom: When you try to reach the website for your Netapp OnTAP, it won’t connect at all.

See the image above for what this looks like.

Symptom:  You tried to create new certificates using security certificate create and now the website is broken.

Whoops.  Never fear, keep reading, this article will help you.

DIFFERENT ISSUE — Third Party CAs are expiring

Just recently (June-July 2019), ONTAP users are getting errors that several certificates of type “server-ca” are expiring. These are NOT the certificates you use for your Netapp website and the fix steps in this article do not apply to them.

CA certificate names expiring on July 09, 2019:

  • DeutscheTelekomRootCA2                
  • UTN-USERFirst-Hardware    
  • Class2PrimaryCA                                    

See my other article about how to fix expiring third party certificates ( type = server-ca ) if this describes your situation.


How can I connect if the Netapp website is down?

Use a terminal emulator such as Putty.  Connect using SSH port 22, to the IP of your Netapp Cluster.

When prompted, type your administrator username and password.  admin is the default username and netapp!123 is the default password.

Disclaimer: I’m just someone who admins Netapp SAN for my job. You should review the official Netapp articles on this topic and use common sense before making changes. If you aren’t sure about anything, put in a case with Netapp to get help.

Reference:  Netapp KB article that describes how to renew the certificate with ssl modify.

Reference: Netapp OnTap 9:  security certificate create , security certificate show, ssl show, ssl modify.

First, capture your current status.

Here are the commands you will run to see the current status of your certificates:

security certificate show

ssl show

Feel free to run these whenever needed, to see your status.

Run both commands now and screenshot or copy the results so you can reference them later.

Here is an example of a Netapp that has expired certificates for the cluster and the SVM:

netapp security certificate show create install

Here is an example of a Netapp that has broken website ssl certificate:

netapp ssl show broken website ontap 9

Did you already delete your certificates and don’t know the names of your cluster and SVM?

Assuming you are connecting to your cluster, you should see the cluster name at the beginning of your command prompt.

If you press TAB while writing a command, Netapp will provide you possible answers.   This can help you retrieve your Vserver list.

Type security certificate show -vserver [TAB]

Your command prompt will show you the possible answers. One should be your cluster, one should be your SVM(s).

Perform these steps to get rid of expired certificates, install new, and enable.

1. Delete old certificates:

Identify your variables:

-vserver =  vserver name from the “security certificate show” command, such as ExampleNetappCluster1

-common-name = common name from the “security certificate show” command, such as ExampleNetappCluster1

-serial = serial number from the “security certificate show” command, such as 448293BA028

-type = type from the “security certificate show” command. Self-generated certificates are type server.

Run command for your cluster certificate:  security certificate delete -vserver ExampleNetappCluster1  -serial  ########## -type server -common-name ExampleNetappCluster1

When prompted, type Y to delete.

Run the command again for each SVM certificate: security certificate delete -vserver ExampleNetappSVM1  -serial  ########## -type server -common-name ExampleNetappSVM1

When prompted, type Y to delete.

2. Create new self-signed certificates:

Run command for your new cluster certificate:  security certificate create -vserver ExampleNetappCluster1 -common-name ExampleNetappCluster1 -type server -expire-days 999

You can change the expire-days per your security policy.  The default is 365.

Run command for each new SVM certificate:  security certificate create -vserver ExampleNetappSVM1 -common-name ExampleNetappSVM1 -type server -expire-days 999

3. Enable SSL with the new certificates:

Run command for your new cluster certificate:  ssl modify -vserver ExampleNetappCluster1 -server-enabled true

Run command for each new SVM certificate: ssl modify -vserver ExampleNetappSVM1 -server-enabled true

4. At this point, your website should be back up!

Please leave comments if this worked for you, or tips if it didn’t.

If you need further reference, I found these Netapp articles helpful.

Reference:  Netapp KB article that describes how to renew the certificate with ssl modify.

Reference: Netapp OnTap 9:  security certificate create , security certificate show, ssl show, ssl modify.

Selfish plug time (sorry!)

Thanks for reading this article! I hope it helps you! If you have tips or feedback, please comment or send me an email so that others can benefit.

I am a consultant in the Maryland/DC area in the USA. My specialties are Windows migrations (to 2016 and to Office 365 / Azure), VMware migrations, Netapp and SAN, and high availability / disaster recovery planning. If you would like help with your complex project, or would like a architectural review to improve your availability, please reach out!    More information and contact can be found on the About page. – Amira Armond

kieri solutions IT consultant service provider cybersecurity logo

7 thoughts on “How to fix Netapp expired self-signed certificate by creating a new one

  1. paul says:

    Hi Amira,

    I’m experiencing more or less the same issue.
    I migrating from one pair of node to another and my cluster management lif soon it is migrate return the same screenshot as yours.
    If I move back all is ok. If I’m creating a new lif to this new pair of nodes, it doesn’t works.
    If I disable http services I have an other message (not accessible 404)
    So it is related to the new nodes

    If I’m looking at the certificates, nothing is strange:
    ::> ssl show
    (security ssl show)
    Serial Server Client
    Vserver Number Common Name Enabled Enabled
    ——— —— ————————————— ——- ——-
    cluster true true
    Certificate Authority: cluster

    ::> sec certificate show -serial 123A456ED7890
    (security certificate show)
    Vserver Serial Number Certificate Name Type
    ———- ————— ————————————– ————
    cluster 123A456ED7890 cluster_123A456ED7890 server
    Certificate Authority: cluster
    Expiration Date: Wed Aug 28 14:42:37 2024

    Do I still have to renew my certificate or you have another idea?

  2. Giles Ogram says:

    Quick question, when I try the command to delete my certificate for both the cluster and SVM, I get an error: Either specify all keys, or set at least to “*”.
    I am using the -serial switch to ensure I am deleting the correct certifiacte.

    • Amira Armond
      Amira Armond says:

      That message means you haven’t identified the certificate enough. Maybe there are two certs with the same serial? Seems unlikely but that is the thinking. Add more specifics about the cert (keep pressing tab on the command and see what netapp wants to add)

  3. zaki says:

    I have deleted few expired certificates and needed to create one again. These are of type server-ca, when tried to recreate it, it says “Command Failed: Cannot use certificate of type “Server-ca” for this operation.

    Checked with Lenovo / Netapp support and they asked to upgrade OS and BMC version. This is what we are running now.

    Lenovo Release 9.6P2: Fri Jul 19 02:10:57 EDT 2019
    System ID: 0538123081 (XXXXXXXXXXXXX); partner ID: 0538123082 (XXXXXXXXXXXXX)
    System Serial Number: 941936000292 (XXXXXXXXXXXXX)

    Service Processor Status: Online
    Firmware Version: 11.3P2

    I tried to follow the above article , but clicking the hyperlink in the above article takes back to the same article.

    Please help how can I create certificate of type server-ca

Leave a Reply

Your email address will not be published. Required fields are marked *