05-13-2016 12:48 PM - edited 05-13-2016 12:49 PM
I was looking for a way to solve this and wanted to let you participate in my solution.
Scenario: We're running our AD based enterprise certificate authority and I'm looking to have most HTTPS webinterfaces running with a certificate from our CA. Our browsers have the root CA certificate deployed and so will trust all subordinate certificates. Out of the box Airwave runs with a self-signed certificate (I really hate saving exceptions for self-signed certificates in Firefox :-) ). Actually we're running Airwave 220.127.116.11 but I'm confident that this applies to other versions too. The important steps are common OpenSSL operations. You should already have some knowledge about certificates and so on.
Step 1: Understanding the webserver. Airwave is using a reverse proxy server called pound which listens to port 443. Looking into the config at /etc/pound.cfg shows that there is a certificate in use located under /etc/httpd/conf/ssl.pem
Step 2: Grabbing the private key. The pre-deployed private key is located at /etc/pki/tls/private/localhost.key but is also included in the second half of certificate file /etc/httpd/conf/ssl.pem. You need this key for creating the certificate signing request (CSR)
Step 3: Creating the CSR. /usr/bin/openssl req -out airwave.yourdomain.com.csr -new -key /etc/pki/tls/private/localhost.key With this command you're going to create a CSR using the available private key. The following dialogue requires different information, most important the CN which is the FQDN of your Airwave server.
Step 4: Signing the certificate. You can now use the CSR to be signed at your private (respectively your enterprise CA) or public CA.
Step 5: Installing the certificate. You will need the certificate in PEM format (BASE64 encoded). For backup reasons please copy the existing certificate with something like this cp /etc/httpd/conf/ssl.pem /etc/httpd/conf/backup.pem. Now start editing the ssl.pem file. vi /etc/httpd/conf/ssl.pem The first part is the certificate, you can identify it with these start and end markers:
Replace the content within the markers with the equivalent from your new certificate.
Step 6: Restart pound. You're almost done. /etc/init.d/pound restart
Now you can access the Airwave webinterface and the certificate is issued by your enterprise CA.
07-08-2016 08:19 AM
Or you can just follow the process that has been actually written by Aruba a while ago.