Monitoring, Management & Location Tracking

How to install your own certificate on Airwave with Alternate name

Aruba Employee

The following steps describes installing an SSL certificate in Airwave with Subject Alternate Names.
Installing a certificate which can be accessed by different (alternate) DNS names, need  a CSR (Certificate Signing Request) created with alternate DNS names.

 

Environment : AMP Version 8.0 and previous AMP versions till 7.2.x

 

Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process: 

I. Create a CSR (Certificate Signing Request) file 
II. Send the CSR to a third-party Certificate Authority (CA) 
III. Install the certificate you receive from the CA on your AirWave server 


I. CREATE A CERTIFICATE SIGNING REQUEST (CSR) 
--------------------------------------- 

For a generic SSL certificate request (CSR), openssl doesn't require much fiddling. Since we're going to add a SAN or two to our CSR, we'll need to add a few things to the openssl conf file. You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR.

1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories: 

/usr/share/ssl/ 
/etc/pki/tls/ 

2. Edit openssl.cnf using nano, vi or the text editor of your choice. 

# nano /etc/pki/tls/openssl.cnf 

-OR- 

# nano /usr/share/ssl/openssl.cnf 

3. In the [req] section, this is the section that tells openssl what to do with certificate requests (CSRs). Within that section should be a line that begins with req_extensions. We'll want that to read as follows:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

This tells openssl to include the v3_req section in CSRs.  If the req_extensions line is not present, add the same in above format exactly.

4. Go to the section named [ req_distinguished_name ]: 

[ req_distinguished_name ] 
countryName = US 
stateOrProvinceName = California 
0.organizationName = Aruba Networks, Inc. 
organizationalUnitName = AirWave Wireless 
commonName = my_amp.airwave.com 
emailAddress = some_user@airwave.com 

5. Replace the information for Aruba/AirWave with your company's information. 

6. Under the [ req_attributes ] section update the challengePassword. 

[ req_attributes ] 
challengePassword = A challenge password 


7. Now we'll go own down to the v3_req section and make sure that it includes the following:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = my_amp.airwave.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14

Note : In alt_names, make sure to add the CN name as one of the DNS entries in the list. The reason is, once alt_names are added to the CSR, The browsers look for the SAN (Subject Alternate Names), So we need to add the CN (Common Name) again in the alt_names section as one DNS entry.


8. Save the file. 

NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below). 

9. Create ssl-certs directory under /var/airwave/custom: 

# mkdir /var/airwave/custom/ssl-certs 

10. Run openssl to create a new private key and CSR in the ssl-certs directory: 

# openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr 



II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY 
------------------------------------------------------------ 

Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above. 

If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate. 



III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT? 
------------------------------------------------------------- 

This example assumes that you've named your certificate newcert.crt. You can name it anything you want. 

IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)

1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt 

2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation. 

# echo -e "\n" >> /var/airwave/custom/ssl-certs/newcert.crt 
# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt 

3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files: 

# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt 
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key 
# ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem 

 

4. If you are getting the certificate signed by an internal CA, you would have to import the root CA certificate into the java trust store for visualRF to work correctly. To do that you need to execute the commands below:

 

# keytool -import -noprompt -trustcacerts -alias <give a name to identify the CA in the keytool>  -file <path/of the /cert/in/airwave/server>  -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit

 

Example:

[root@airwave tmp]# keytool -import -noprompt -trustcacerts -alias chaincert-lab -file /var/airwave/custom/ssl-certs/airwave-CertChain.crt -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit

Certificate was added to keystore

 

To verify:

[root@airwave tmp]# keytool -list -keystore "/usr/java/jre1.8.0_72/lib/security/cacerts" | grep chain

Enter keystore password:  changeit

chaincert-lab, May 2, 2016, trustedCertEntry,

 

Once done, restart the Visual RF Engine.

 

 

1. Once the CSR is created, you can verify if the CSR has the Subject Alternate Names by the below command

#openssl req -text -noout -in san_domain_com.csr

You should see some output like below. Note the Subject Alternative Name section:

Certificate Request:
Data&colon;
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example
Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions: X509v3
Basic Constraints: CA:FALSE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: DNS:my_amp.airwave.com, DNS:kb.example.com, DNS:helpdesk.example.com
Signature Algorithm: sha1WithRSAEncryption
blahblahblah  


2. Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory. 

NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server. 

# nano /etc/httpd/conf.d/ssl.conf 

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Version history
Revision #:
3 of 3
Last update:
‎11-16-2016 04:46 PM
Updated by:
 
Labels (1)
Contributors
Comments
Laurent_Asselin

Hi,

 

We've been facing an issue with the way "pound" (the reverse proxy that handle SSL for Airwave Server) handle Certificate file.

It seems the order in wich certificates and the private key is really important for pound to start.

Else you get this error :

/etc/init.d/pound restart

Starting Pound: starting...
/etc/pound.cfg line 14: SSL_CTX_use_PrivateKey_file failed - aborted

 

In order to fix this, we had to verifiy the composition of the ssl.pem file (and especially the order):

Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave 8.0.9.1) :

-----BEGIN CERTIFICATE-----

<<<Your Server Certificate>>>

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

<<<Your private key >>>

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

<<<Your Trust Autority Top Level Certificate>>> (tips : most CA use 4096 RSA keys, so this should be the longest certificate ;)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<<<Your Intermediate Trust Autority Level Certificate>>>

-----END CERTIFICATE-----

 

 

Restart Pound service by typing : 

/etc/init.d/pound restart

 

And you're done ! 

 

Regards,

 

Laurent Asselin,  Jean-Charles Bervoet and Regis Deroff.

Exer Group

 

 

 

Prestidigitation

Has this changed now in 8.2?

BrianL75201

After failing to get our certificate working with these instructions, the ones above did the trick.

However, when we navigate to the Airwave interface, we still get a red exclamation point.  Clicking this, I see the following (in Chrome):

Obsolete Connection Settings

 

Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

How can we fix this?

What version of AirWave are you running?
BrianL75201

I wondered if that was the issue too.  We're running 8.0.4.1, and I see that 8.2.2.1 is available.  I'm not clear on how to upgrade though. This makes it sound really simple, but it doesn't recognize the start_amp_upgrade command.

Laurent_Asselin

Hi,

It seems in Airwave 8.2.x the file order changed, here's what I had to do in order to make Poung accept the file.

 

Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave 8.2.2.1)
:

-----BEGIN CERTIFICATE-----
<<<Your Server Certificate>>>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<<<Your private key >>>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<<<Your Intermediate Trust Autority Level Certificate>>>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<<<Your Trust Autority Top Level Certificate>>>
-----END CERTIFICATE-----

 

Restart Pound service by typing :
/etc/init.d/pound restart

 

Laurent Asselin

EXER

tmcclintic

Thank you Laurent!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.