Installing 3rd-Party Certificates for Web Interfaces on Gigamon

You know what I don’t like? Cottage cheese. It’s gross.

Cottage Cheese

You know what else I don’t like?

This:

not secure https

 

And this:

Your connection is not private

 

And this:

Red Vines Black Licorice

 

And this:

Cisco Smart Licensing

 

And yes, I just wasted a full page, maybe made you excessively scroll, made the readability scores upset, and I’m still not getting to my damn point.

Steve Brule Upset

 

My damn point: I don’t like managed devices that don’t have their web certificates updated, and I had Gigamon appliances that needed some certificate love so I’m jotting down here how to update the Gigamon certificates with externally generated ones.

“Why?” I hear you asking. Well, I don’t think Gigamon does a very good job explaining in their documentation how to update the certificates, so I’m going to do it here.

Googling Gigamon 3rd-Party Certificate Installation

Gigamon

If you try googling for any combination of the words “gigamon install web certificate”, you’re going to get a whole list of links that are not applicable to Gigamon appliances, and really are focused on the management platform GigaVue-FM.

Quick note: the documentation here for GigaVue-FM and the web certificate is accurate, but it’s at the bottom of the search results. So if you’re looking for GigaVue-FM documentation, there you go.

The reason you’re not finding anything related in the search results is because everything related to certificates and the web interface under the crypto commands (much like Cisco). The basic process then is to import the certificate, private key, certificate chain (root and issuing) using the crypto commands, then tell the web service to use the new certificate.

Configuring Gigamon Certificates

First off, for importing third-party certificates you can do it two ways: paste in the certificate/key information, or download it (“fetch”) from somewhere else.

# Copying in the content
(config) # crypto certificate name steveBruleCA public-cert pem "<contents of cert>"

# Downloading/Fetching the CA certificate
(config) # crypto certificate name steveBruleCA public-cert pem fetch http://consentfactory.com/steveBruleCA.crt

Quick Python Server

My preference is to spin up Python http server and download from that location real quick. Assuming you have Python installed, you can run the following:

# Spins up Python with default setting
python3 -m http.server

Which results in this:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Or run this:

# Spins up Python on default port 80, but you may need to run with elevated privileges since its a privileged port
python3 -m http.server 80

Which results in this:

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

First: Install You Certificate Authority Certificates

You may or may not need to do this. For me, I did. I’ll show both ways to do it, but from here out, I’ll just be fetching from my Python server.

# Copying in the content
(config) # crypto certificate name steveBruleCA public-cert pem "
> -----BEGIN CERTIFICATE-----
> MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
> CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
> MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
> MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
> Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
> A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
> 27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
> Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
> TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
> qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
> szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
> Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
> MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
> wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
> aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
> VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
> AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
> FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
> C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
> QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
> h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
> 7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
> ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
> MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
> Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
> 6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
> 0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
> 2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
> bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
> -----END CERTIFICATE-----
"

If you type in the quote, hit enter, you’ll be given a prompt to enter the data for the certificate, which you end with another quote, then enter.

For fetching the certificate, it’s straightforward:

# Downloading/Fetching the CA certificate
(config) # crypto certificate name steveBruleCA public-cert pem http://consentfactory.com/steveBruleCA.crt

Now after getting the certificate on the appliance, you need to put them in the trusted store like this:

(config) # crypto certificate ca-list default-ca-list name steveBruleCA

The CA certificate will be trusted now.

Second: Install the Certificate for the Web Service

Now we’re cookin’. Let’s download and install for the web service.

(config) # crypto certificate name webServiceCert public-cert pem fetch http://consentfactory.com/webServiceCert.crt

That’s it for the certificate.

Third: Install the Private Key

This will install the key and prompt you for the password for the private key:

(config) # crypto certificate name webServiceCert private-key pem fetch http://consentfactory.com/webServiceCert.key

Now we’re set to enable the web service to use the new certificate.

Fourth: Configure Web Service to Use New Certificate

This is the easy part:

web https certificate name webServiceCert

That it! No need to restart any services, as the appliance appears to take care of all of that on the backend.

You’re all done. Time to smile, look in the mirror, notice and ignore the zit, and maybe go look at some PCAPs.

All done!