The following steps describes installing an SSL certificate in Airwave with Subject Alternate Names.
Installing a certificate which can be accessed by different (alternate) DNS names, need a CSR (Certificate Signing Request) created with alternate DNS names.
Environment : AMP Version 8.0 and previous AMP versions till 7.2.x
Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process:
I. Create a CSR (Certificate Signing Request) file
II. Send the CSR to a third-party Certificate Authority (CA)
III. Install the certificate you receive from the CA on your AirWave server
I. CREATE A CERTIFICATE SIGNING REQUEST (CSR)
For a generic SSL certificate request (CSR), openssl doesn't require much fiddling. Since we're going to add a SAN or two to our CSR, we'll need to add a few things to the openssl conf file. You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR.
1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories:
2. Edit openssl.cnf using nano, vi or the text editor of your choice.
# nano /etc/pki/tls/openssl.cnf
# nano /usr/share/ssl/openssl.cnf
3. In the [req] section, this is the section that tells openssl what to do with certificate requests (CSRs). Within that section should be a line that begins with req_extensions. We'll want that to read as follows:
distinguished_name = req_distinguished_name
req_extensions = v3_req
This tells openssl to include the v3_req section in CSRs. If the req_extensions line is not present, add the same in above format exactly.
4. Go to the section named [ req_distinguished_name ]:
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
0.organizationName = Aruba Networks, Inc.
organizationalUnitName = AirWave Wireless
commonName = my_amp.airwave.com
emailAddress = firstname.lastname@example.org
5. Replace the information for Aruba/AirWave with your company's information.
6. Under the [ req_attributes ] section update the challengePassword.
[ req_attributes ]
challengePassword = A challenge password
7. Now we'll go own down to the v3_req section and make sure that it includes the following:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 = my_amp.airwave.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14
Note : In alt_names, make sure to add the CN name as one of the DNS entries in the list. The reason is, once alt_names are added to the CSR, The browsers look for the SAN (Subject Alternate Names), So we need to add the CN (Common Name) again in the alt_names section as one DNS entry.
8. Save the file.
NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below).
9. Create ssl-certs directory under /var/airwave/custom:
# mkdir /var/airwave/custom/ssl-certs
10. Run openssl to create a new private key and CSR in the ssl-certs directory:
# openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr
II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY
Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above.
If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate.
III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT?
This example assumes that you've named your certificate newcert.crt. You can name it anything you want.
IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)
1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt
2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation.
# echo -e "\n" >> /var/airwave/custom/ssl-certs/newcert.crt
# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt
3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files:
# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key
# ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem
4. If you are getting the certificate signed by an internal CA, you would have to import the root CA certificate into the java trust store for visualRF to work correctly. To do that you need to execute the commands below:
# keytool -import -noprompt -trustcacerts -alias <give a name to identify the CA in the keytool> -file <path/of the /cert/in/airwave/server> -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit
[root@airwave tmp]# keytool -import -noprompt -trustcacerts -alias chaincert-lab -file /var/airwave/custom/ssl-certs/airwave-CertChain.cr
Certificate was added to keystore
[root@airwave tmp]# keytool -list -keystore "/usr/java/jre1.8.0_72/lib/security/cacerts" | grep chain
Enter keystore password: changeit
chaincert-lab, May 2, 2016, trustedCertEntry,
Once done, restart the Visual RF Engine.
1. Once the CSR is created, you can verify if the CSR has the Subject Alternate Names by the below command
#openssl req -text -noout -in san_domain_com.csr
You should see some output like below. Note the Subject Alternative Name section:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example
Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Requested Extensions: X509v3
Basic Constraints: CA:FALSE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: DNS:my_amp.airwave.com, DNS:kb.example.com, DNS:helpdesk.example.com
Signature Algorithm: sha1WithRSAEncryption
2. Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory.
NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server.
# nano /etc/httpd/conf.d/ssl.conf