Configuring certificate authentication

To configure certificate authentication, you need to complete a number of steps on each storage system and Windows client that will be participating in IPsec communications.

Steps

1. Request a signed certificate from a certificate authority. You can request a signed certificate from a Windows 2000 certificate authority or from a non-Windows-2000 certificate authority.
2. Install the signed certificate. The proper installation method depends on whether the certificate was signed by a certificate authority and whether you are installing the certificate on a storage system or a Windows client.
3. Download and install one or more root certificates.

   Your storage system or Windows client can establish an IPsec connection with any other storage system or Windows client that uses a certificate signed by a certificate authority that you trust. To specify that you trust a specific certificate authority, you should install that certificate authority's root certificate. Then, you can optionally specify a subset of 1 to 15 certificates that Data ONTAP should use for certificate authentication.

4. Enable the IPsec certificate authentication mechanism.

• Requesting a signed certificate from a Windows 2000 certificate authority
  You can request a signed certificate from a Windows 2000 certificate authority.
• Installing a certificate signed by a Windows 2000 certificate authority onto a Windows client
  If you have requested a certificate signed by a Windows 2000 certificate authority, you must then install it on your Windows client.
• Requesting a signed certificate from a non-Windows 2000 certificate authority
  You can request a signed certificate from a non-Windows 2000 certificate authority.
• Installing a certificate signed by a non-Windows 2000 certificate authority onto a Windows client
  If you have requested a certificate signed by a non-Windows 2000 certificate authority, you must then install it on your Windows client.
• Installing a signed certificate onto a storage system
  You also need to install a signed certificate in a storage system if you are going to use the certificate authentication method for the IPsec protocol.
• Installing root certificates onto a storage system
  You must also install one or more root certificates in each of the storage systems that will be part of a security association among clients and storage systems.
• Specifying the subset of root certificates that Data ONTAP uses for certificate authentication
  By default, Data ONTAP uses all of your storage system's root certificates for certificate authentication. You can specify that Data ONTAP should use only a subset of these root certificates for certificate authentication.
• Viewing the subset of root certificates Data ONTAP uses for certificate authentication
  You can use the ipsec cert show command to view the subset of root certificates that Data ONTAP is currently using for certificate authentication.
• Installing root certificates onto a Windows client
  After you have installed root certificates on your storage system, you must also install them on your Windows clients.
• Enabling the IPsec certificate authentication mechanism on a storage system
  After your certificates are installed on a storage system, you must enable the IPsec security authentication mechanism.
• Enabling the IPsec certificate authentication mechanism on a Windows client
  You must enable the IPsec certificate authentication mechanism on a Windows client before you can use IPsec.