Skip to main content
This section shows how to import the NetApp ONTAP TLS client certificate and associated private key into ONTAP System Manager, along with the KMIP server root CA certificate, which is needed so that ONTAP can validate the KMES Series 3 TLS certificate. Before doing so, you must use OpenSSL to extract the NetApp ONTAP client certificate and private key from the PKCS #12 file you exported from the KMES Series 3 in the previous section.

Extract the ONTAP certificate and private key from the PKCS #12 file

To extract the ONTAP client certificate and private key from the PKCS #12 file, perform the following steps:
1
Open a terminal application with OpenSSL installed.
2
Go to the directory where the PKCS #12 file is saved.
3
Run the following OpenSSL command to extract ONTAP’s client certificate from the PKCS #12 file and save it to a new PEM file:
Shell
openssl pkcs12 -in file.p12 -clcerts -nokeys -out client-cert.pem
When prompted, enter the password that was specified when you exported the PKCS #12 file from the KMES.
4
Run the following OpenSSL command to extract the ONTAP client private key from the PKCS #12 file and save it to a new PEM file:
Shell
openssl pkcs12 -in file.p12 -nodes -nocerts -out private-key.pem
When prompted, enter the password that was specified when you exported the PKCS #12 file from the KMES.

Configure an external key manager in ONTAP System Manager

Basic instructions below show how to configure an external key manager in ONTAP System Manager. For additional considerations, refer to the NetApp ONTAP documentation for Managing external key managers with System Manager (docs.netapp.com/us-en/ontap/encryption-at-rest/manage-external-key-managers-sm-task.html).
To add an external key manager for a storage VM, you should add an optional gateway when you configure the network interface for the storage VM. If the storage VM was created without the network route, you must create the route explicitly for the external key manager. See Create a LIF network interface (docs.netapp.com/us-en/ontap/networking/create\a\lif.html).
To configure an external key manager, perform the following steps:
1
Log in to the ONTAP System Manager.
2
Go to Cluster > Settings.
3
In the Security section, select the gear icon for Encryption.
4
Specify the location in which to store the encryption key by selecting External key manager.
5
Under Key servers, select [ Add ].
  • Enter the IP address or host name of the KMES Series 3.
  • Leave the default Port number, 5696.
6
Next to KMIP server CA certificates, select [ Add new certificate ].
  • Enter a name for the server CA certificate.
  • Under Certificate details, select [ Import ] and open the KMIP server root CA certificate saved as a PEM file.
ONTAP requires only the root CA certificate, not the full CA chain.
  • Select [ Save ].
7
Next to KMIP client certificates, select [ Add new certificate ].
  • Enter a name for the client certificate.
  • Under Certificate details, select [ Import ] and open the ONTAP client certificate PEM file.
  • Under Private key, select [ Import ] and open the ONTAP client private key PEM file.
  • Select [ Save ].
8
Select [ Save ] to finish configuring the external key manager.
Under Cluster > Settings > Encryption, green checkmarks indicate that the external key manager is successfully configured, along with the key server IP adress, hostname, and port number.