How to download the certificates from (self-signed) Threatgrid for integration purposes?

Problem

The certificate of the clean interface of the Threatgrid appliance is required for integrating Threatgrid with devices such as Firepower Management Center. The newer updates of Threatgrid have completely overhauled the UI of the admin portal and with this update, the option to directly download the certificate has been removed, which was present earlier, due to security concerns. Therefore, you will no longer be able to download the self-signed TG certs directly from the UI. This article will describe the possible options in downloading the same.

Note: This is a workaround not officially supported by Cisco TAC. We recommend our customers to utilize signed certificates when integrating other Cisco products to ThreatGrid Appliance.

Solution

Step 1. Navigate to https://<Opadmin FQDN or IP>/admin/graphiql

Step 2. Enter the following and run.

{
  SSL(Key: PANDEM) {
    Text
  }
}

Step 3. Please note that the return value has the text encoded as a JSON string and it will need to be decoded (\ns changed to newlines) before it can be used. Replace all the \n with new lines manually.

Step 4. After the changes have been done, save the file in .pem format and use the same. 

Alternatively, you can navigate to the CLEAN interface of the TG appliance and use a browser such as Firefox in saving the certificate presented there and using it for the integration.

The customer will need to export the certificate as a DER encoded .crt file.

Next, they will need to convert this to a .pem file using OpenSSL. An example of this conversion command would be something to the affect of:

openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem