SAN = Subject Alternative Name
The following post runs through getting SAN certificates for use with Clustered ONTAP. The lab environment has Clustered Data ONTAP 8.2.1 and a Windows 2008R2 AD CS Root CA.
What SAN Names do we want in our SSL Certificate
To make life nice and easy, we’ll just request one SAN certificate for the entire cluster, with everything we could possibly require in.
We have a simple single node cluster, with the following LIFs:
NACLU1::> net int show -field address
vserver lif address
------- ------------ ------------
NACLU1 cluster_mgmt 10.10.10.110
NACLU1N1 mgmt1 10.10.10.111
NACLU1N1 rep1 10.10.10.121
NASVM1 data1 10.10.10.131
NASVM1 data2 10.10.10.132
In DNS we’ve have the following Forward Lookup Host (A) entries. In this example, NASVM1.lab.priv has 2 entries in DNS for round-robin load-balancing.
Name Data ReverseDNS?
---------------------- ------------ -----------
NACLU1.lab.priv 10.10.10.110 Yes
NACLU1N1.lab.priv 10.10.10.111 Yes
NACLU1N1-rep1.lab.priv 10.10.10.121 Yes
NASVM1.lab.priv 10.10.10.131 No
NASVM1.lab.priv 10.10.10.132 No
NASVM1-data1.lab.priv 10.10.10.131 Yes
NASVM1-data2.lab.priv 10.10.10.132 Yes
How to Create the Certificate Signing Request for CDOT
Run the command:
NACLU1::> security certificate generate-csr -common-name NACLU1.lab.priv -size 2048 -country US -state "" -locality "" -organization "" -unit "" -email-addr "email@example.com" -hash-function SHA256
Here the common-name is NACLU1.lab.priv (the cluster FQDN name with NETBIOS name in capitals - doesn’t really matter what the common-name is though since we’re going to append SAN names to it), the other switches are specific to organization.
An abridged output of the command is below:
Certificate Signing Request :
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Private Key :
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Note: Please keep a copy of your certificate request and private key for future reference.
It is important to record this output. The ‘CERTIFICATE REQUEST’ section will be provided to the Certification Authority for generation of the SSL cert. The ‘RSA PRIVATE KEY’ section will be used later when installing the certificate. Note: You will only see the complete output one time - if you later run ‘security certificate generate-csr show’ it actually creates a new CSR under the common-name ‘show’.
Copy the contents between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- into a text file and save as say CLUSTER.CSR.
Generating the SAN Certificate with 2008 R2 AD CS
Configure the CA to issue SAN certificates using the following command in the DOS prompt on the CA (if not done so already) and restart the CA service:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Then the following command will read the CLUSTER.CSR file as prepared earlier and add all SAN extensions to it, then output the SAN certificate as CLUSTER.CER:
certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv&DNS=naclu1n1-rep1&DNS=naclu1n1-rep1.lab.priv&DNS=nasvm1&DNS=nasvm1.lab.priv&DNS=nasvm1-data1&DNS=nasvm1-data1.lab.priv&DNS=nasvm1-data2&DNS=nasvm1-data2.lab.priv" CLUSTER.CSR CLUSTER.CER
The above is going overboard on specifying every single DNS and NETBIOS entry used by the cluster for the SAN cert (and the cluster management IP address since logs via https://CLUSTERNAME/SPI redirects to https://CLUSTERIP/...) For the purposes of OCUM connections to the cluster management address, SPI, and logs via the node address, the following is totally sufficient:
certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=10.10.10.110&IPAddress=10.10.10.110&DNS=naclu1n1&DNS=naclu1n1.lab.priv” CLUSTER.CSR CLUSTER.CER
Note 1: IE requires IP Addresses after DNS=, other browsers after IPAddress=, which explains the cluster management IP address being in there twice.
Note 2: If you’re having problems inputting the above, and have copied from this post, check the formatting of the dash and quotation marks especially (delete and retype in DOS.)
Installing the Certificate in CDOT
Run the command:
NACLU1::> security certificate install -vserver NACLU1 -type server
As prompted, copy and paste in the certificate as contained in the CLUSTER.CER file, and the private key obtained from generating the CSR earlier.
Then run the following commands to apply the SSL certificate to the Cluster (Admin) Vserver:
NACLU1::> security certificate show -vserver NACLU1
NACLU1::> ssl show -vserver NACLU1
NACLU1::> ssl modify -vserver NACLU1 -ca lab-MSCSA1-CA -serial 6167DD8400000000000B -common-name NACLU1.lab.priv
Repeat for the node and data SVMs as required.
Testing the SSL Certificate in CDOT
Test over https://CLUSTER_NETBIOS/spi.
Image: No certificate error to https://naclu1/spi
Test over the SPI to logs.
Image: No certificate error to https://10.10.10.110/...
Check the SSL Certificate to see the Subject Alternative Name entries.
Image: SAN Entries including IP Address