Skip to main content
This section shows how to import the NetApp ONTAP TLS client certificate and associated private key into ONTAP System Manager, along with the KMIP server root CA certificate. This functionality enables ONTAP to validate the CryptoHub TLS certificate. Before taking this action, you must use OpenSSL to extract the ONTAP client private key from the PKCS #12 file CryptoHub packaged inside the Endpoint zip (pki.p12).

Extract the ONTAP private key from the PKCS #12 file

To extract the ONTAP client private key from the pki.p12 file, perform the following steps:
1
Open a terminal application with OpenSSL installed.
2
Navigate to the directory that contains the files extracted from the Endpoint zip archive.
3
Run the following OpenSSL command to extract ONTAP’s client private key from the PKCS #12 file and save it to a new PEM file:
Shell
openssl pkcs12 -in pki.p12 -nodes -nocerts -out client-privatekey.pem
When prompted, enter the PKCS #12 file password, which you can find inside the pki-password.txt file included in the Endpoint zip.

Configure an external key manager in ONTAP System Manager

The following instructions show how to configure an external key manager in ONTAP System Manager. For additional considerations, reference NetApp ONTAP documentation for managing external key managers with System Manager ( docs.netapp.com/us-en/ontap/encryption-at-rest/manage-external-key-managers-sm-task.html).
To add an external key manager for a storage VM, you should add an optional gateway when you configure the network interface for the storage VM. If the storage VM was created without the network route, you will have to create the route explicitly for the external key manager. See Create a LIF (network interface) (docs.netapp.com/us-en/ontap/networking/create\a\lif.html).
To configure an external key manager, perform the following steps:
1
Log in to the ONTAP System Manager.
2
Go to Cluster > Settings.
3
In the Security section, select the gear icon for Encryption.
4
Specify where to store the encryption key by selecting External key manager.
5
Under Key servers, select [ Add ].
  • Enter the IP address or host name of the CryptoHub.
  • Leave the default Port number, 5696.
6
Next to KMIP server CA certificates, select [ Add new certificate ].
  • Enter a name for the server CA certificate.
  • Under Certificate details, select [ Import ] and open the KMIP server root CA certificate file (Futurex Test Root CA (ECC).cer).
ONTAP requires only the root CA certificate, not the full CA chain.
  • Select [ Save ].
7
Next to KMIP client certificates, select [ Add new certificate ].
  • Enter a name for the client certificate.
  • Under Certificate details, select [ Import ] and open the ONTAP client certificate PEM file (client-cert.pem).
  • Under Private key, select [ Import ] and open the ONTAP client private key PEM file (client-privatekey.pem).
  • Select [ Save ].
8
Select [ Save ] to finish configuring the external key manager.
Under Cluster > Settings > Encryption, green checkmarks indicate that the external key manager is successfully configured, along with the key server IP address or hostname and port number.