Import TLS certificates into NetApp ONTAP and configure the connection to the KMES Series 3

this section shows how to import the netapp ontap tls client certificate and associated private key into ontap system manager, along with the kmip server root ca certificate, which is needed so that ontap can validate the {{k3}} tls certificate before doing so, you must use openssl to extract the netapp ontap client certificate and private key from the pkcs #12 file you exported from the {{k3}} in the previous section extract the ontap certificate and private key from the pkcs #12 file to extract the ontap client certificate and private key from the pkcs #12 file, perform the following steps open a terminal application with openssl installed go to the directory where the pkcs #12 file is saved run the following openssl command to extract ontap's client certificate from the pkcs #12 file and save it to a new pem file openssl pkcs12 in file p12 clcerts nokeys out client cert pem when prompted, enter the password that was specified when you exported the pkcs #12 file from the {{k}} run the following openssl command to extract the ontap client private key from the pkcs #12 file and save it to a new pem file openssl pkcs12 in file p12 nodes nocerts out private key pem when prompted, enter the password that was specified when you exported the pkcs #12 file from the {{k}} configure an external key manager in ontap system manager basic instructions below show how to configure an external key manager in ontap system manager for additional considerations, refer to the netapp ontap documentation for managing external key managers with system manager ( docs netapp com/us en/ontap/encryption at rest/manage external key managers sm task html ) to add an external key manager for a storage vm, you should add an optional gateway when you configure the network interface for the storage vm if the storage vm was created without the network route, you must create the route explicitly for the external key manager see create a lif network interface ( docs netapp com/us en/ontap/networking/create a lif html ) to configure an external key manager, perform the following steps log in to the ontap system manager go to cluster > settings i n the security section, select the gear icon for encryption specify the location in which to store the encryption key by selecting external key manager under key servers , select \[ add ] enter the ip address or host name of the {{k3}} leave the default port number, 5696 next to kmip server ca certificates , select \[ add new certificate ] enter a name for the server ca certificate under certificate details , select \[ import ] and open the kmip server root ca certificate saved as a pem file ontap requires only the root ca certificate, not the full ca chain select \[ save ] next to kmip client certificates , select \[ add new certificate ] enter a name for the client certificate under certificate details , select \[ import ] and open the ontap client certificate pem file under private key , select \[ import ] and open the ontap client private key pem file select \[ save ] select \[ save ] to finish configuring the external key manager under cluster > settings > encryption , green checkmarks indicate that the external key manager is successfully configured, along with the key server ip adress, hostname, and port number