Saturday, 4 April 2020

AddTrust External CA Root Certificate is being Phased Out: What does it mean for ASUP over HTTPS?


Credit for this post to a customer who flagged this to me (thank you).

You may have noticed the AddTrustExternalCARoot certificate on your NetApp ONTAP cluster, is expiring on Saturday May 30th, 2020.

cluster1::> security certificate show -common-name Ad*
Vserver    Serial Number   Certificate Name             Type
---------- --------------- ---------------------------- ------------
cluster1   01              AddTrustExternalCARoot      server-ca
    Certificate Authority: AddTrust External CA Root
          Expiration Date: Sat May 30 10:48:38 2020

And if you’ve stuck AddTrust into kb.netapp.com, you’ll see that it is used by ASUP over HTTPS communication (check out KBs: KB1028719 & KB1088180). So, you might be wondering:

Question 1) Is the certificate going to be renewed?
Question 2) What happens when the certificate expires?

Answer 1) The ‘AddTrust External CA Root Certificate’ is being phased out! So, it never can be renewed (check out: https://www.xolphin.com/support/Rootcertificates/Phasing_out_Addtrust_External_CA_Root_certificate).
Answer 2) From a NetApp ASUP perspective, nothing is going to happen, ASUP over HTTPS will continue to work, and this is because a new ASUP backend certificate will be signed by an existing un-expired CA root in the current ONTAP truststore.

To answer the titular question:
AddTrust External CA Root Certificate is being Phased Out: What does it mean for ASUP over HTTPS? Nothing!

Lab Testing

The xolphin.com article above mentions the ‘AddTrust External CA Root Certificate’ is being replaced by this certificate:

I did a few tests in the lab to confirm the ‘AddTrust External CA Root Certificate’ is currently needed for ASUP (it was on 31st March 2020):

1) Verify ASUP over HTTPS is successful.
2) See what happens when I delete the ‘AddTrust External CA Root Certificate’ - ASUP over HTTPS does indeed stop (the messages aren’t sent so re-queue to try again.)
3) Install the new comodo cert and see that ASUP over HTTPS is now working again (Note: You absolutely do not need to do this - I’m just playing in a lab - your ASUP over HTTPS will merrily continue past May 30th 2020, without you doing a thing.)


cluster1::> version
NetApp Release 9.5P11: Tue Feb 25 13:56:38 UTC 2020

cluster1::> security certificate show -common-name Ad*
Vserver    Serial Number   Certificate Name          Type
---------- --------------- ------------------------- ------------
cluster1   01              AddTrustExternalCARoot    server-ca
    Certificate Authority: AddTrust External CA Root
          Expiration Date: Sat May 30 10:48:38 2020

cluster1::> autosupport invoke * -type all
The AutoSupport was successfully invoked on node "cluster1-01" (sequence number: 44).
The AutoSupport was successfully invoked on node "cluster1-02" (sequence number: 49).
2 entries were acted on.

cluster1::> autosupport history show -seq-num 44 -node *1
             Seq                                    Attempt
Node         Num   Destination Status               Count
------------ ----- ----------- -------------------- --------
cluster1-01  44
                   http        sent-successful      1

cluster1::> autosupport history show -seq-num 49 -node *2
             Seq                                    Attempt
Node         Num   Destination Status               Count
------------ ----- ----------- -------------------- --------
cluster1-02  49
                   http        sent-successful      1

cluster1::> set adv

cluster1::*> security certificate delete -common-name AddTrustExternalCARoot -vserver cluster1 -serial 01 -ca "AddTrust External CA Root" -type server-ca

Warning: Deleting the pre-installed "server-ca" certificate "AddTrustExternalCARoot" could allow any of the applications doing server authentication to fail.
Do you want to continue? {y|n}: y

cluster1::*> autosupport invoke * -type all
The AutoSupport was successfully invoked on node "cluster1-01" (sequence number: 46).
The AutoSupport was successfully invoked on node "cluster1-02" (sequence number: 50).
2 entries were acted on.

cluster1::*> autosupport history show -seq 46 -node *1;autosupport history show -seq 50 -node *2
             Seq                                    Attempt
Node         Num   Destination Status               Count
------------ ----- ----------- -------------------- --------
cluster1-01  46
                   http        re-queued            1

             Seq                                    Attempt
Node         Num   Destination Status               Count  
------------ ----- ----------- -------------------- --------
cluster1-02  50
                   http        re-queued            2

cluster1::*> security certificate install -type server-ca -vserver cluster1 -cert-name ComodoRSACertificationAuth

Please enter Certificate: Press ENTER when done
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----


You should keep a copy of the CA-signed digital certificate for future reference.

The installed certificate's CA and serial number for reference:
CA: COMODO RSA Certification Authority
Serial: 4CAAF9CADB636FE01FF74ED85B03869D

cluster1::*> security certificate show -cert-name ComodoRSACertificationAuth
Vserver    Serial Number   Certificate Name             Type
---------- --------------- ---------------------------- ------------
cluster1   4CAAF9CADB636FE01FF74ED85B03869D
                           ComodoRSACertificationAuth   server-ca
    Certificate Authority: COMODO RSA Certification Authority
          Expiration Date: Mon Jan 18 23:59:59 2038

cluster1::*> autosupport invoke * -type all
The AutoSupport was successfully invoked on node "cluster1-01" (sequence number: 47).
The AutoSupport was successfully invoked on node "cluster1-02" (sequence number: 52).
2 entries were acted on.

cluster1::*> autosupport history show -seq 47 -node *1;autosupport history show -seq 52 -node *2
             Seq                                    Attempt
Node         Num   Destination Status               Count  
------------ ----- ----------- -------------------- --------
cluster1-01  47
                   http        sent-successful      1

             Seq                                    Attempt
Node         Num   Destination Status               Count  
------------ ----- ----------- -------------------- --------
cluster1-02  52
                   http        sent-successful      1


THE END

No comments:

Post a comment