crypto
The GigaVUE node by default generates and uses a self-signed certificate to provide HTTPS access for GigaVUE‑FM to communicate and manage GigaVUE node. It also facilitates the user to utilize ACME to manage web certificates. Use the crypto command to configure and manage certificates for the GigaVUE® HC Series node’s built-in Web server, performing the following tasks:
Generate the certificate and key pairs on the GigaVUE HC Series node. This overwrites the existing certificate and key pair regardless of whether the previous certificate and key pair was self-signed or user added. You can specify how long the new self-signed certificate lasts with the days-valid argument. |
Replace a signed certificate with one created by an administrator or generated by a 3rd party certificate authority. |
Generate a certificate request and upload it to a specified URL. Default values for the certificate request can be configured. |
The user can also utilize ACME to issues, renew and revoke web certificates. |
The crypto command has the following syntax:
crypto
acme client clear
cert-req-msg
generate upload <upload URL>
generation default
country-code <country code>
days-valid <number of days>
email-addr <email address>
key-size-bits <number of bits>
locality <locality name>
org-unit <organizational unit name>
organization <organization name>
state-or-prov <state or province name>
certificate
acme issue box-id <box-id>
domain <xyz.gigamon.com>
ca-url <url> |algorithm <rsa-2048 | rsa-4096 | ec-prime256v1 |ec-secp384r1>|
|renew-days <1-365>| |root-cert <certificate_name>|
acme renew box-id <box-id> domain <xyz.gigamon.com>
acme revoke box-id <box-id>domain <xyz.gigamon.com>
ca-list default-ca-list name <CA list name> [system-self-signed]
default-cert name <cert name> [system-self-signed]
generation default
country-code <country code>
days-valid <number of days>
email-addr <email address>
key-size-bits <number of bits>
locality <locality name>
org-unit <organizational unit name>
organization <organization name>
state-or-prov <state or province name>
name <cert name>
comment <new comment>
generate self-signed
comment <comment>
common-name <issuer and subject common name>
country-code <country code>
days-valid <number of days>
email-addr <email address>
key-size-bits <number of bits>
locality <locality name>
org-unit <organizational unit name>
organization <organization name>
serial-num <serial number>
state-or-prov <state or province name>
private-key pem <PEM string>
private-key pem fetch <url>
prompt-private-key
public-cert <comment <comment string>> <pem <PEM string>>
regenerate [days-valid <number of days>]
rename <new name>
system-self-signed regenerate [days-valid <number of days 1-7300>]
The following table describes the arguments for the crypto command:
Argument |
Description |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acme client clear |
Utilize this command to clear the ACME issued certificate from the system. Once the ACME certificate is deleted, the web server will use the default certificate. This command also cancels the auto-renewal timers that are started by the ACME client in the device. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
upload <upload URL> |
Generates a certificate request message and uploads the request to the specified URL. The supported formats for upload are: SCP, SFTP, and FTP. For example: (config) # crypto cert-req-msg generate upload scp://gigatest@192.168.1.2/tmp/Password (if required): ********Successfully uploaded certificate signing request with name 'cert-req-filebWdanb.csr'Successfully uploaded private key with name 'cert-req-filebWdanb.key' |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
country-code <country code> |
Configures default values for certificate request message generation as follows:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate acme issue box-id <box-id> domain <xyz.gigamon.com> ca-url <url> |algorithm <rsa-2048 | rsa-4096 | ec-prime256v1 |ec-secp384r1>| |renew-days <1-365>| |root-cert <certificate_name>| |
Utilize this command to generate a certificate and its corresponding private key for acme client by configuring the values as follows:
You can use the following optional values as well:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acme renew box-id <box-id> domain <xyz.gigamon.com> |
Utilize this command to manually renew an already issued certificate as follows:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acme revoke box-id <box-id>domain <xyz.gigamon.com> |
Utilize this command to manually revoke an already issued certificate as follows:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate ca-list default-ca-list name <CA list name> [system-self-signed] |
Adds the specified CA certificate to the default CA certificate list. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate default-cert name <cert name> [system-self-signed] |
Specifies the named certificate as the default certificate for authentication on this node. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate generation default |
Configures default values for certificate generation as follows:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate name <cert name> private-key pem fetch <url> |
Configures options for a named certificate to import into the certificate database as follows:
Note: Enclose the contents of the PEM file in quotation marks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
certificate system-self-signed regenerate [days-valid <number of days 1-7300>] |
Regenerates a certificate. Certificates are configured to expire after a specified number of days. You can regenerate a certificate with this command, using the days-valid argument to specify how long it will be valid before it needs to be regenerated again. |
Related Commands
The following table summarizes other commands related to the crypto command:
Task |
Command |
Displays the ACME Certificate information and the recent ACME operation that was performed. |
# show crypto acme client info |
Displays cryptographic configuration and state for all certificates in the certificate database. |
# show crypto certificate |
Displays the list of configured trusted certificates of authority (CA). |
# show crypto certificate ca-list |
Displays the list of supplemental certificates configured for the default system CA certificate. |
# show crypto certificate ca-list default-ca-list |
Displays the currently configured default certificate. |
# show crypto certificate default-cert |
Displays details of the currently configured default certificate. |
# show crypto certificate default-cert detail |
Displays the uninterpreted PEM contents of the currently configured default certificate. |
# show crypto certificate default-cert public-pem |
Displays details of all certificates in the certificate database. |
# show crypto certificate detail |
Displays a specified named certificate. |
# show crypto certificate name mycert |
Displays the uninterpreted PEM contents of all certificates in the certificate database. |
# show crypto certificate public-pem |
Deletes a certificate from the CA certificate trust pool. |
(config) # no crypto certificate ca-list default-ca-list name mycert1 |
Reverts to the system-self-signed certificate as the default. |
(config) # no crypto certificate default-cert name system-self-signed |
Deletes a specified certificate. |
(config) # no crypto certificate name system-self-signed |
Deletes the comment on a specified certificate. |
(config) # no crypto certificate name system-self-signed comment |