Credit for this post to a customer who flagged this to
me (thank you).
You may have noticed the AddTrustExternalCARoot
certificate on your NetApp ONTAP cluster, is expiring on Saturday May 30th,
2020.
cluster1::> security certificate show -common-name Ad*
Vserver Serial Number
Certificate
Name
Type
---------- ---------------
---------------------------- ------------
cluster1
01
AddTrustExternalCARoot server-ca
Certificate Authority: AddTrust
External CA Root
Expiration Date: Sat May
30 10:48:38 2020
And if you’ve stuck AddTrust into kb.netapp.com, you’ll
see that it is used by ASUP over HTTPS communication
(check out KBs: KB1028719
& KB1088180). So, you might be wondering:
Question
1) Is the certificate going to be renewed?
Question
2) What happens when the certificate expires?
Answer 2) From a NetApp ASUP perspective, nothing is
going to happen, ASUP over HTTPS will continue to work, and this is because a
new ASUP backend certificate will be signed by an existing un-expired CA root
in the current ONTAP truststore.
To answer the titular question:
AddTrust External CA Root Certificate is being Phased
Out: What does it mean for ASUP over HTTPS? Nothing!
Lab Testing
The xolphin.com article above mentions the ‘AddTrust External
CA Root Certificate’ is being replaced by this certificate:
I did a
few tests in the lab to confirm the ‘AddTrust External CA Root Certificate’ is
currently needed for ASUP (it was on 31st March 2020):
1)
Verify ASUP over HTTPS is successful.
2) See
what happens when I delete the ‘AddTrust External CA Root Certificate’ - ASUP
over HTTPS does indeed stop (the messages aren’t sent so re-queue to try again.)
3)
Install the new comodo cert and see that ASUP over HTTPS is now working again (Note:
You absolutely do not need to do this - I’m just playing in a lab - your ASUP
over HTTPS will merrily continue past May 30th 2020, without you doing a thing.)
cluster1::> version
NetApp Release 9.5P11: Tue Feb 25
13:56:38 UTC 2020
cluster1::> security certificate show
-common-name Ad*
Vserver
Serial Number Certificate
Name Type
---------- ---------------
------------------------- ------------
cluster1
01
AddTrustExternalCARoot
server-ca
Certificate Authority: AddTrust External CA Root
Expiration Date: Sat May 30 10:48:38 2020
cluster1::> autosupport invoke * -type
all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 44).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 49).
2 entries were acted on.
cluster1::> autosupport history show
-seq-num 44 -node *1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 44
http sent-successful
1
cluster1::> autosupport history show
-seq-num 49 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 49
http sent-successful
1
cluster1::> set adv
cluster1::*> security certificate
delete -common-name AddTrustExternalCARoot -vserver cluster1 -serial 01 -ca
"AddTrust External CA Root" -type server-ca
Warning: Deleting the pre-installed
"server-ca" certificate "AddTrustExternalCARoot" could allow
any of the applications doing server authentication to fail.
Do you want to continue? {y|n}: y
cluster1::*> autosupport invoke *
-type all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 46).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 50).
2 entries were acted on.
cluster1::*> autosupport history show
-seq 46 -node *1;autosupport history show -seq 50 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 46
http re-queued 1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 50
http re-queued 2
cluster1::*> security certificate
install -type server-ca -vserver cluster1 -cert-name ComodoRSACertificationAuth
Please enter Certificate: Press ENTER
when done
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----
You should keep a copy of the CA-signed
digital certificate for future reference.
The installed certificate's CA and serial
number for reference:
CA: COMODO RSA Certification Authority
Serial: 4CAAF9CADB636FE01FF74ED85B03869D
cluster1::*> security certificate show
-cert-name ComodoRSACertificationAuth
Vserver
Serial Number Certificate
Name Type
---------- ---------------
---------------------------- ------------
cluster1
4CAAF9CADB636FE01FF74ED85B03869D
ComodoRSACertificationAuth
server-ca
Certificate Authority: COMODO RSA Certification Authority
Expiration Date: Mon
Jan 18 23:59:59 2038
cluster1::*> autosupport invoke *
-type all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 47).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 52).
2 entries were acted on.
cluster1::*> autosupport history show
-seq 47 -node *1;autosupport history show -seq 52 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 47
http sent-successful
1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 52
http sent-successful
1
THE END