Import TLS certificates into NetApp ONTAP and configure the connection to the CryptoHub

this section shows how to import the netapp ontap tls client certificate and associated private key into ontap system manager, along with the kmip server root ca certificate this functionality enables ontap to validate the {{ch}} tls certificate before taking this action, you must use openssl to extract the ontap client private key from the pkcs #12 file {{ch}} packaged inside the endpoint zip ( pki p12 ) extract the ontap private key from the pkcs #12 file to extract the ontap client private key from the pki p12 file, perform the following steps open a terminal application with openssl installed navigate to the directory that contains the files extracted from the endpoint zip archive run the following openssl command to extract ontap's client private key from the pkcs #12 file and save it to a new pem file openssl pkcs12 in pki p12 nodes nocerts out client privatekey pem when prompted, enter the pkcs #12 file password, which you can find inside the pki password txt file included in the endpoint zip configure an external key manager in ontap system manager the following instructions show how to configure an external key manager in ontap system manager for additional considerations, reference netapp ontap documentation for m anaging external key managers with system manager ( docs netapp com/us en/ontap/encryption at rest/manage external key managers sm task html ) to add an external key manager for a storage vm, you should add an optional gateway when you configure the network interface for the storage vm if the storage vm was created without the network route, you will have to create the route explicitly for the external key manager see create a lif (network interface) ( docs netapp com/us en/ontap/networking/create a lif html ) to configure an external key manager, perform the following steps log in to the ontap system manager go to cluster > settings i n the security section, select the gear icon for encryption specify where to store the encryption key by selecting external key manager under key servers , select \[ add ] enter the ip address or host name of the {{ch}} leave the default port number, 5696 next to kmip server ca certificates , select \[ add new certificate ] enter a name for the server ca certificate under certificate details , select \[ import ] and open the kmip server root ca certificate pem file ( server root ca pem ) ontap requires only the root ca certificate, not the full ca chain select \[ save ] next to kmip client certificates , select \[ add new certificate ] enter a name for the client certificate under certificate details , select \[ import ] and open the ontap client certificate pem file ( client cert pem ) under private key , select \[ import ] and open the ontap client private key pem file ( client privatekey pem ) select \[ save ] select \[ save ] to finish configuring the external key manager under cluster > settings > encryption , green checkmarks indicate that the external key manager is successfully configured, along with the key server ip address or hostname and port number