Credit for this post to a customer who flagged this to
me (thank you).
You may have noticed the AddTrustExternalCARoot
certificate on your NetApp ONTAP cluster, is expiring on Saturday May 30th,
2020.
cluster1::> security certificate show -common-name Ad*
Vserver Serial Number
Certificate
Name
Type
---------- ---------------
---------------------------- ------------
cluster1
01
AddTrustExternalCARoot server-ca
Certificate Authority: AddTrust
External CA Root
Expiration Date: Sat May
30 10:48:38 2020
And if you’ve stuck AddTrust into kb.netapp.com, you’ll
see that it is used by ASUP over HTTPS communication (check out KBs: KB1028719
& KB1088180). So, you might be wondering:
Question
1) Is the certificate going to be renewed?
Question
2) What happens when the certificate expires?
Answer 1) The ‘AddTrust External CA Root Certificate’ is
being phased out! So, it never can be renewed (check out: https://www.xolphin.com/support/Rootcertificates/Phasing_out_Addtrust_External_CA_Root_certificate).
Answer 2) From a NetApp ASUP perspective, nothing is
going to happen, ASUP over HTTPS will continue to work, and this is because a
new ASUP backend certificate will be signed by an existing un-expired CA root
in the current ONTAP truststore.
To answer the titular question:
AddTrust External CA Root Certificate is being Phased
Out: What does it mean for ASUP over HTTPS? Nothing!
Lab Testing
The xolphin.com article above mentions the ‘AddTrust External
CA Root Certificate’ is being replaced by this certificate:
I did a
few tests in the lab to confirm the ‘AddTrust External CA Root Certificate’ is
currently needed for ASUP (it was on 31st March 2020):
1)
Verify ASUP over HTTPS is successful.
2) See
what happens when I delete the ‘AddTrust External CA Root Certificate’ - ASUP
over HTTPS does indeed stop (the messages aren’t sent so re-queue to try again.)
3)
Install the new comodo cert and see that ASUP over HTTPS is now working again (Note:
You absolutely do not need to do this - I’m just playing in a lab - your ASUP
over HTTPS will merrily continue past May 30th 2020, without you doing a thing.)
cluster1::> version
NetApp Release 9.5P11: Tue Feb 25
13:56:38 UTC 2020
cluster1::> security certificate show
-common-name Ad*
Vserver
Serial Number Certificate
Name Type
---------- ---------------
------------------------- ------------
cluster1
01
AddTrustExternalCARoot
server-ca
Certificate Authority: AddTrust External CA Root
Expiration Date: Sat May 30 10:48:38 2020
cluster1::> autosupport invoke * -type
all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 44).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 49).
2 entries were acted on.
cluster1::> autosupport history show
-seq-num 44 -node *1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 44
http sent-successful
1
cluster1::> autosupport history show
-seq-num 49 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 49
http sent-successful
1
cluster1::> set adv
cluster1::*> security certificate
delete -common-name AddTrustExternalCARoot -vserver cluster1 -serial 01 -ca
"AddTrust External CA Root" -type server-ca
Warning: Deleting the pre-installed
"server-ca" certificate "AddTrustExternalCARoot" could allow
any of the applications doing server authentication to fail.
Do you want to continue? {y|n}: y
cluster1::*> autosupport invoke *
-type all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 46).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 50).
2 entries were acted on.
cluster1::*> autosupport history show
-seq 46 -node *1;autosupport history show -seq 50 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 46
http re-queued 1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 50
http re-queued 2
cluster1::*> security certificate
install -type server-ca -vserver cluster1 -cert-name ComodoRSACertificationAuth
Please enter Certificate: Press ENTER
when done
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----
You should keep a copy of the CA-signed
digital certificate for future reference.
The installed certificate's CA and serial
number for reference:
CA: COMODO RSA Certification Authority
Serial: 4CAAF9CADB636FE01FF74ED85B03869D
cluster1::*> security certificate show
-cert-name ComodoRSACertificationAuth
Vserver
Serial Number Certificate
Name Type
---------- ---------------
---------------------------- ------------
cluster1
4CAAF9CADB636FE01FF74ED85B03869D
ComodoRSACertificationAuth
server-ca
Certificate Authority: COMODO RSA Certification Authority
Expiration Date: Mon
Jan 18 23:59:59 2038
cluster1::*> autosupport invoke *
-type all
The AutoSupport was successfully invoked
on node "cluster1-01" (sequence number: 47).
The AutoSupport was successfully invoked
on node "cluster1-02" (sequence number: 52).
2 entries were acted on.
cluster1::*> autosupport history show
-seq 47 -node *1;autosupport history show -seq 52 -node *2
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-01 47
http sent-successful
1
Seq Attempt
Node Num
Destination Status
Count
------------ ----- -----------
-------------------- --------
cluster1-02 52
http sent-successful
1
THE END
Comments
Post a Comment