To enable an SSL server to authenticate the cluster or storage virtual machine (SVM) as an SSL client, you install a digital certificate with the client type on the cluster or SVM. Then you provide the client-ca certificate to the SSL server administrator for installation on the server.
- To use a CA-signed digital certificate for client authentication, complete the following steps:
- Generate a digital certificate signing request (CSR) by using the security certificate generate-csr command.
Result
ONTAP displays the CSR output, which includes a certificate request and private key, and reminds you to copy the output to a file for future reference.
- Send the certificate request from the CSR output in an electronic form (such as email) to a trusted CA for signing.
You should keep a copy of the private key and the CA-signed certificate for future reference.
Result
After processing your request, the CA sends you the signed digital certificate.
- Install the CA-signed certificate by using the security certificate install command with the -type client parameter.
- Enter the certificate and the private key when you are prompted, and then press Enter .
- Enter any additional root or intermediate certificates when you are prompted, and then press Enter.
You install an intermediate certificate on the cluster or SVM if a certificate chain that begins at the trusted root CA, and ends with the SSL certificate issued to you, is missing the intermediate certificates. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, goes through the intermediate certificate, and ends with the SSL certificate issued to you.
- Provide the client-ca certificate of the cluster or SVM to the administrator of the SSL server for installation on the server.
The security certificate show command with the -instance and -type client-ca parameters displays the client-ca certificate information.