crypto

The GigaVUE node by default generates and uses a self-signed certificate to provide HTTPS access to the Web-based H-VUE management interface. It also facilitates the user to utilize ACME to manage web certificates. Use the crypto command to configure and manage certificates for the GigaVUE H Series node’s built-in Web server, performing the following tasks:

■   Generate the certificate and key pairs on the GigaVUE H Series node. This overwrites the existing certificate and key pair regardless of whether the previous certificate and key pair was self-signed or user added. You can specify how long the new self-signed certificate lasts with the days-valid argument.
■   Replace a signed certificate with one created by an administrator or generated by a 3rd party certificate authority.
■   Generate a certificate request and upload it to a specified URL. Default values for the certificate request can be configured.
■   The user can also utilize ACME to issues, renew and revoke web certificates.

The crypto command has the following syntax:

crypto

acme client clear

cert-req-msg
      generate upload <upload URL>
      generation default
         country-code <country code>
         days-valid <number of days>
         email-addr <email address>
         key-size-bits <number of bits>
         locality <locality name>
         org-unit <organizational unit name>
         organization <organization name>
         state-or-prov <state or province name>
   certificate

acme issue box-id <box-id>

domain <xyz.gigamon.com>

ca-url <url> |algorithm <rsa-2048 | rsa-4096 | ec-prime256v1 |ec-secp384r1>|

|renew-days <1-365>| |root-cert <certificate_name>|

acme renew box-id <box-id> domain <xyz.gigamon.com>

acme revoke box-id <box-id>domain <xyz.gigamon.com>

ca-list default-ca-list name <CA list name> [system-self-signed]
      default-cert name <cert name> [system-self-signed]
      generation default
         country-code <country code>
         days-valid <number of days>
         email-addr <email address>
         key-size-bits <number of bits>
         locality <locality name>
         org-unit <organizational unit name>
         organization <organization name>
         state-or-prov <state or province name>
      name <cert name>
         comment <new comment>
         generate self-signed
            comment <comment>
            common-name <issuer and subject common name>
            country-code <country code>
            days-valid <number of days>
            email-addr <email address>
            key-size-bits <number of bits>
            locality <locality name>
            org-unit <organizational unit name>
            organization <organization name>
            serial-num <serial number>
            state-or-prov <state or province name>
         private-key pem <PEM string>

private-key pem fetch <url>
         prompt-private-key
         public-cert <comment <comment string>> <pem <PEM string>>
         regenerate [days-valid <number of days>]
         rename <new name>
      system-self-signed regenerate [days-valid <number of days 1-7300>]

The following table describes the arguments for the crypto command:

Argument

Description

acme client clear

Utilize this command to clear the ACME issued certificate from the system. Once the ACME certificate is deleted, the web server will use the default certificate. This command also cancels the auto-renewal timers that are started by the ACME client in the device.

upload <upload URL>

Generates a certificate request message and uploads the request to the specified URL.

The supported formats for upload are: SCP, SFTP, and FTP.

For example:

(config) # crypto cert-req-msg generate upload scp://gigatest@192.168.1.2/tmp/Password (if required): ********Successfully uploaded certificate signing request with name 'cert-req-filebWdanb.csr'Successfully uploaded private key with name 'cert-req-filebWdanb.key'

   country-code <country code>
   days-valid <number of days>
   email-addr <email address>
   key-size-bits <number of bits>
   locality <locality name>
   org-unit <organizational unit name>
   organization <organization name>
   state-or-prov <state or province name>

Configures default values for certificate request message generation as follows:

country-code—Specifies the default value for country code, in two alphanumeric characters.
days-valid—Specifies the default value for days valid. The range is from 1 to 65535 days.
email-addr—Specifies the default value for the organization’s contact email address, in a string.
key-size-bits—Specifies the default value for private key size, in bits, in multiples of 1024.
locality—Specifies the default value for locality, in a string.
org-unit—Specifies the default value for the organizational unit name, in a string.
organization—Specifies the default value for the organization’s name, in a string.
state-or-prov—Specifies the default value for the state or province, in a string.

certificate acme issue box-id <box-id> domain <xyz.gigamon.com> ca-url <url> |algorithm <rsa-2048 | rsa-4096 | ec-prime256v1 |ec-secp384r1>| |renew-days <1-365>| |root-cert <certificate_name>|

Utilize this command to generate a certificate and its corresponding private key for acme client by configuring the values as follows:

box-id <box-id> -Specifies the box-id for which the certificate needs to be issued.
domain <xyz.gigamon.com> -Specify the domain name, which will become the subject name as well as the alternate subject name in the certificate.
ca-url <url>-The Certificate Authority URL.

You can use the following optional values as well:

|renew-days <1-365>|-Specifies the number of days ( 1-365 days) before a certificate expires to initiate the certificate renewal. By default this is 1/3rd days before certificate expiry.
root-cert <certificate name>-Configure the root certificate of the CA server.

acme renew box-id <box-id> domain <xyz.gigamon.com>

Utilize this command to manually renew an already issued certificate as follows:

box-id <box-id> -Specifies the box-id for which the certificate needs to be renewed.
domain <xyz.gigamon.com> -Specify the domain name, which will become the subject name as well as the alternate subject name in the certificate.

acme revoke box-id <box-id>domain <xyz.gigamon.com>

Utilize this command to manually revoke an already issued certificate as follows:

box-id <box-id> -Specifies the box-id for which the certificate needs to be renewed.
domain <xyz.gigamon.com> -Specify the domain name, which will become the subject name as well as the alternate subject name in the certificate.

certificate ca-list default-ca-list name <CA list name> [system-self-signed]

Adds the specified CA certificate to the default CA certificate list.

certificate default-cert name <cert name> [system-self-signed]

Specifies the named certificate as the default certificate for authentication on this node.

certificate generation default
   country-code <country code>
   days-valid <number of days>
   email-addr <email address>
   key-size-bits <number of bits>
   locality <locality name>
   org-unit <organizational unit name>
   organization <organization name>
   state-or-prov <state or province name>

Configures default values for certificate generation as follows:

country-code—Specifies the default value for country code, in two alphanumeric characters.
days-valid—Specifies the default value for days valid. The range is from 1 to 65535 days.
email-addr—Specifies the default value for the organization’s contact email address, in a string.
key-size-bits—Specifies the default value for private key size, in bits, in multiples of 1024.
locality—Specifies the default value for locality, in a string.
org-unit—Specifies the default value for the organizational unit name, in a string.
organization—Specifies the default value for the organization’s name, in a string.
state-or-prov—Specifies the default value for the state or province, in a string.

certificate name <cert name>
   comment <new comment>
   generate self-signed
      comment <comment>
      common-name <common name>
      country-code <country code>
      days-valid <number of days>
      email-addr <email address>
      key-size-bits <number of bits>
      locality <locality name>
      org-unit <organizational unit name>
      organization <organization name>
      serial-num <serial number>
      state-or-prov <state or province name>
   private-key pem <PEM string>

private-key pem fetch <url>
   prompt-private-key
   public-cert <comment <comment string>>
      <pem <PEM string>>
   regenerate [days-valid <number of days>]
   rename <new name>

Configures options for a named certificate to import into the certificate database as follows:

cert-name—Specifies a unique identifier for the certificate.
comment—Specifies a comment for an existing certificate.
generate self-signed—Generates a named self-signed certificate, as follows:
o comment—Specifies a comment for the certificate.
o common-name—Specifies a common name for the certificate, in a string
o country-code—Specifies the country code, in two alphanumeric characters.
o days-valid—Specifies the days valid. The range is from 1 to 65535 days.
o email-addr—Specifies the organization’s contact email address, in a string.
o key-size-bits—Specifies the private key size, in bits, in multiples of 1024.
o locality—Specifies the locality, in a string.
o org-unit—Specifies the organizational unit name, in a string.
o organization—Specifies the organization’s name, in a string.
o serial-number—Specifies the serial number, in a lower-case hexidecimal serial number prefixed with 0x.
o state-or-prov—Specifies the state or province, in a string.
private-key—Adds an RSA private key to a previously imported certificate.
prompt-private-key—Prompts for a PEM-encoded string.
public-cert—Specifies an alternate certificate, such as one issued by a trusted public signing authority.
pem <PEM string>—Specifies a certificate data string in Privacy Enhanced Mail (PEM) format.
fetch <url>—Specifies the remote private key location.
regenerate—Regenerates a specified certificate.
rename—Renames an existing certificate.

Note:  Enclose the contents of the PEM file in quotation marks.

certificate system-self-signed regenerate [days-valid <number of days 1-7300>]

Regenerates a certificate. Certificates are configured to expire after a specified number of days. You can regenerate a certificate with this command, using the days-valid argument to specify how long it will be valid before it needs to be regenerated again.

Related Commands

The following table summarizes other commands related to the crypto command:

Task

Command

Displays the ACME Certificate information and the recent ACME operation that was performed.

# show crypto acme client info

Displays cryptographic configuration and state for all certificates in the certificate database.

# show crypto certificate

Displays the list of configured trusted certificates of authority (CA).

# show crypto certificate ca-list

Displays the list of supplemental certificates configured for the default system CA certificate.

# show crypto certificate ca-list default-ca-list

Displays the currently configured default certificate.

# show crypto certificate default-cert

Displays details of the currently configured default certificate.

# show crypto certificate default-cert detail

Displays the uninterpreted PEM contents of the currently configured default certificate.

# show crypto certificate default-cert public-pem

Displays details of all certificates in the certificate database.

# show crypto certificate detail

Displays a specified named certificate.

# show crypto certificate name mycert

Displays the uninterpreted PEM contents of all certificates in the certificate database.

# show crypto certificate public-pem

Deletes a certificate from the CA certificate trust pool.

(config) # no crypto certificate ca-list default-ca-list name mycert1

Reverts to the system-self-signed certificate as the default.

(config) # no crypto certificate default-cert name system-self-signed

Deletes a specified certificate.

(config) # no crypto certificate name system-self-signed

Deletes the comment on a specified certificate.

(config) # no crypto certificate name system-self-signed comment