security certificate create
Create and Install a Self-Signed Digital Certificate
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security certificate create command creates and installs a self-signed digital certificate, which can be used for server authentication, for signing other certificates by acting as a certificate authority (CA), or for Data ONTAP as an SSL client. The certificate function is selected by the -type field. Self-signed digital certificates are not as secure as certificates signed by a CA. Therefore, they are not recommended in a production environment.
Parameters
- -vserver <Vserver Name> - Name of Vserver
- This specifies the name of the Vserver on which the certificate will exist.
- -common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
- This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:
- Letters a through z, A through Z
- Numbers 0 through 9
- Asterisk (*), period (.), underscore (_) and hyphen (-)
- -type <type of certificate> - Type of Certificate
- This specifies the certificate type. Valid values are the following:
- server - creates and installs a self-signed digital certificate and intermediate certificates to be used for server authentication
- root-ca - creates and installs a self-signed digital certificate to sign other certificates by acting as a certificate authority (CA)
- client - includes a self-signed digital certificate and private key to be used for Data ONTAP as an SSL client
- [-subtype <kmip-cert>] - (DEPRECATED)-Certificate Subtype
- This specifies a certificate subtype. This optional parameter can have an empty value (the default). The only valid value is as follows:NoteThis parameter has been deprecated in ONTAP 9.6 and may be removed in a future release of Data ONTAP.
- kmip-cert - this is a Key Management Interoperability Protocol (KMIP) certificate
- [-cert-name <text>] - Unique Certificate Name
- This specifies the system's internal identifier for the certificate. It must be unique within a Vserver. If not provided, it is automatically generated by the system.
- -size <size of requested certificate in bits> - Size of Requested Certificate in Bits
- This specifies the number of bits in the private key. The larger the value, the more secure is the key. The default is 2048. Possible values include 512, 1024, 1536, 2048 and 3072 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are 2048 and 3072.
- -country <text> - Country Name
- This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes: Country Codes
- -state <text> - State or Province Name
- This specifies the state or province where the Vserver resides.
- -locality <text> - Locality Name
- This specifies the locality where the Vserver resides. For example, the name of a city.
- -organization <text> - Organization Name
- This specifies the organization where the Vserver resides. For example, the name of a company.
- -unit <text> - Organization Unit
- This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.
- -email-addr <mail address> - Contact Administrator's Email Address
- This specifies the email address of the contact administrator for the Vserver.
- -expire-days <integer> - Number of Days until Expiration
- This specifies the number of days until the certificate expires. The default value is 365 days. Possible values are between 1 and 3652.
- -protocol <protocol> - Protocol
- This specifies the protocol type. This parameter currently supports only the SSL protocol type. The default is SSL.
- -hash-function <hashing function> - Hashing Function
- This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include SHA1, SHA256, MD5, SHA224, SHA384 and SHA512 when the "FIPS Mode" in "security config" is false. When the "FIPS Mode" is true, the possible values are SHA224, SHA256, SHA384 and SHA512
Examples
This example creates a server type, self-signed digital certificate for a Vserver named vs0 at a company whose custom common name is www.example.com and whose Vserver name is vs0.
cluster1::> security certificate create -vserver vs0 <kbd className="ph userinput nolinebreak">-common-name</kbd> www.example.com <kbd className="ph userinput nolinebreak">-type</kbd> server
This example creates a root-ca type, self-signed digital certificate with a 2048-bit private key generated by the SHA256 hashing function that will expire in 365 days for a Vserver named vs0 for use by the Software group in IT at a company whose custom common name is www.example.com, located in Sunnyvale, California, USA. The email address of the contact administrator who manages the Vserver is web@example.com.
cluster1::> security certificate create -vserver vs0 <kbd className="ph userinput nolinebreak">-common-name</kbd> www.example.com <kbd className="ph userinput nolinebreak">-type</kbd> root-ca <kbd className="ph userinput nolinebreak">-size</kbd> 2048 <kbd className="ph userinput nolinebreak">-country</kbd> US <kbd className="ph userinput nolinebreak">-state</kbd> California <kbd className="ph userinput nolinebreak">-locality</kbd> Sunnyvale <kbd className="ph userinput nolinebreak">-organization</kbd> IT <kbd className="ph userinput nolinebreak">-unit</kbd> Software <kbd className="ph userinput nolinebreak">-email-addr</kbd> web@example.com <kbd className="ph userinput nolinebreak">-expire-days</kbd> 365 <kbd className="ph userinput nolinebreak">-hash-function</kbd> SHA256
This example creates a client type of self-signed digital certificate for a Vserver named vs0 at a company that uses Data ONTAP as an SSL client. The company's custom common name is www.example.com and its Vserver name is vs0.
cluster1::> security certificate create -vserver vs0 <kbd className="ph userinput nolinebreak">-common-name</kbd> www.example.com <kbd className="ph userinput nolinebreak">-type</kbd> client <kbd className="ph userinput nolinebreak">-size</kbd> 2048 <kbd className="ph userinput nolinebreak">-country</kbd> US <kbd className="ph userinput nolinebreak">-state</kbd> California <kbd className="ph userinput nolinebreak">-locality</kbd> Sunnyvale <kbd className="ph userinput nolinebreak">-organization</kbd> IT <kbd className="ph userinput nolinebreak">-unit</kbd> Software <kbd className="ph userinput nolinebreak">-email-addr</kbd> web@example.com <kbd className="ph userinput nolinebreak">-expire-days</kbd> 365 <kbd className="ph userinput nolinebreak">-hash-function</kbd> SHA256
Give documentation feedback