NetApp续订自签名SSL证书及注意事项

概述

NetApp的SSL自签名证书如果过期，那么第三方的一些与NetApp 443（HTTPS）对接的系统或业务可能会失效或者无法正常对接，包括但不限于：

• F-Policy
• 反病毒系统
• 系统管理平台

在国内的话主要会涉及到与第三方监控系统的对接，以下的话就是比较常见的问题，证书过期导致Unified Manager中无法正常加入，这时就涉及到需要对证书进行续订

更新流程

针对不同版本的Ontap有不同的更新方式，以下为几种主流的方式

Ontap 9 CLI （9.10之前版本）

应该是目前绝大多数会碰到的场景，WebUI里无法进行相关操作，需要SSH到CLI进行证书续订，以下为实际生产环境操作流程记录

首先看下当前证书情况，主要关注下系统SVM的Server证书（如果不确定是哪个SVM，可以直接network interface show看下集群管理地址在哪个SVM），当前环境为aff

aff::> security certificate show -type server   
Vserver    Serial Number   Certificate Name                       Type
---------- --------------- -------------------------------------- ------------
NFS_A300   167D41C62C822732 
                           NFS_A300_167D41C62C822732              server
    Certificate Authority: NFS_A300
          Expiration Date: Mon May 09 09:29:20 2022

SVM_CIFS   1623CABBD606D398 
                           SVM_CIFS_1623CABBD606D398              server
    Certificate Authority: SVM_CIFS
          Expiration Date: Wed Jul 21 22:26:41 2021

SVM_VMware 05393577695463  SVM_VMware_05393577695463              server
    Certificate Authority: SVM_VMware
          Expiration Date: Fri Aug 04 10:11:23 2017

SVM_VMware_SAS 
           151D583707BC9723 
                           SVM_VMware_SAS_151D583707BC9723        server
    Certificate Authority: SVM_VMware_SAS
          Expiration Date: Tue Mar 19 22:20:42 2019

aff        53567C81FC423   aff_53567C81FC423                      server
    Certificate Authority: aff
          Expiration Date: Sat Jun 17 00:32:19 2017

5 entries were displayed.

或者可以多些Fields参数看下当前情况

aff::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server
vserver  common-name serial           ca       type   subtype cert-name                 expiration               
-------- ----------- ---------------- -------- ------ ------- ------------------------- ------------------------ 
NFS_A300 NFS_A300    167D41C62C822732 NFS_A300 server -       NFS_A300_167D41C62C822732 Mon May 09 09:29:20 2022 
SVM_CIFS SVM_CIFS    1623CABBD606D398 SVM_CIFS server -       SVM_CIFS_1623CABBD606D398 Wed Jul 21 22:26:41 2021 
SVM_VMware 
         SVM_VMware  05393577695463   SVM_VMware 
                                               server -       SVM_VMware_05393577695463 Fri Aug 04 10:11:23 2017 
SVM_VMware_SAS 
         SVM_VMware_SAS 
                     151D583707BC9723 SVM_VMware_SAS 
                                               server -       SVM_VMware_SAS_151D583707BC9723 
                                                                                        Tue Mar 19 22:20:42 2019 
aff      aff         53567C81FC423    aff      server -       aff_53567C81FC423         Sat Jun 17 00:32:19 2017 
5 entries were displayed.

关键步骤一：新建证书
common-name：新证书名称，建议与原有证书不重名已便于区分
expire-days：证书时长建议长些，本例中为10年

aff::> security certificate create -common-name aff_new -type server -size 2048 -expire-days 3650 -protocol SSL -hash-function SHA256 -vserver aff 

The certificate's generated name for reference: aff_new

可以看到新建证书aff_new，有效期至2034年

aff::> security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server                                                
vserver  common-name serial           ca       type   subtype cert-name                 expiration               
-------- ----------- ---------------- -------- ------ ------- ------------------------- ------------------------ 
NFS_A300 NFS_A300    167D41C62C822732 NFS_A300 server -       NFS_A300_167D41C62C822732 Mon May 09 09:29:20 2022 
SVM_CIFS SVM_CIFS    1623CABBD606D398 SVM_CIFS server -       SVM_CIFS_1623CABBD606D398 Wed Jul 21 22:26:41 2021 
SVM_VMware 
         SVM_VMware  05393577695463   SVM_VMware 
                                               server -       SVM_VMware_05393577695463 Fri Aug 04 10:11:23 2017 
SVM_VMware_SAS 
         SVM_VMware_SAS 
                     151D583707BC9723 SVM_VMware_SAS 
                                               server -       SVM_VMware_SAS_151D583707BC9723 
                                                                                        Tue Mar 19 22:20:42 2019 
aff      aff         53567C81FC423    aff      server -       aff_53567C81FC423         Sat Jun 17 00:32:19 2017 
aff      aff_new     17D25787A3DA1548 aff_new  server -       aff_new                   Mon May 22 14:04:08 2034 
6 entries were displayed.

关键步骤二：启用证书

aff::> security ssl modify -server-enabled true -vserver aff -ca aff_new -serial 17D25787A3DA1548 -common-name aff_new 

Warning: The certificate aff_new is a self-signed certificate, which offers no verification of identity by client machines.  This presents the risk of man-in-the-middle
         attacks by malicious third-parties.
Do you want to continue? {y|n}: y

证书启用后测试OCUM中添加集群正常

Ontap 9.10.1 之后版本

9.10.1版本开始可直接在WebUI续订，由于目前暂没有机会接触到生产环境的9.10之后的版本，可直接参考以下KB（当然直接用CLI一定不会有问题）

https://kb.netapp.com/onprem/ontap/dm/System_Manager/How_to_renew_an_ONTAP_selfsigned_certificate_via_System_Manager

Ontap 7-mode 环境

7-mode的场景估计碰到的不多了，可直接参考以下KB

https://kb.netapp.com/Legacy/ONTAP/7Mode/How_to_renew_an_SSL_certificate_in_Data_ONTAP_7-Mode

其他

当然以上部分仅涉及续订简单的SSL自签名证书，如果需要续订标准CA机构或服务器颁发的证书需要另外参考对应KB