How to install your own certificate on Airwave with Alternate name

By arunhasan1 Unpublished


The following steps describes installing an SSL certificate in Airwave with Subject Alternate Names.
Installing a certificate which can be accessed by different (alternate) DNS names, need  a CSR (Certificate Signing Request) created with alternate DNS names.


Environment : AMP Version 8.0 and previous AMP versions till 7.2.x


Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process: 

I. Create a CSR (Certificate Signing Request) file 
II. Send the CSR to a third-party Certificate Authority (CA) 
III. Install the certificate you receive from the CA on your AirWave server 


For a generic SSL certificate request (CSR), openssl doesn't require much fiddling. Since we're going to add a SAN or two to our CSR, we'll need to add a few things to the openssl conf file. You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR.

1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories: 


2. Edit openssl.cnf using nano, vi or the text editor of your choice. 

# nano /etc/pki/tls/openssl.cnf 


# nano /usr/share/ssl/openssl.cnf 

3. In the [req] section, this is the section that tells openssl what to do with certificate requests (CSRs). Within that section should be a line that begins with req_extensions. We'll want that to read as follows:

distinguished_name = req_distinguished_name
req_extensions = v3_req

This tells openssl to include the v3_req section in CSRs.  If the req_extensions line is not present, add the same in above format exactly.

4. Go to the section named [ req_distinguished_name ]: 

[ req_distinguished_name ] 
countryName = US 
stateOrProvinceName = California 
0.organizationName = Aruba Networks, Inc. 
organizationalUnitName = AirWave Wireless 
commonName = 
emailAddress = 

5. Replace the information for Aruba/AirWave with your company's information. 

6. Under the [ req_attributes ] section update the challengePassword. 

[ req_attributes ] 
challengePassword = A challenge password 

7. Now we'll go own down to the v3_req section and make sure that it includes the following:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 =
DNS.2 =
DNS.3 =
IP.1 =
IP.2 =

Note : In alt_names, make sure to add the CN name as one of the DNS entries in the list. The reason is, once alt_names are added to the CSR, The browsers look for the SAN (Subject Alternate Names), So we need to add the CN (Common Name) again in the alt_names section as one DNS entry.

8. Save the file. 

NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below). 

9. Create ssl-certs directory under /var/airwave/custom: 

# mkdir /var/airwave/custom/ssl-certs 

10. Run openssl to create a new private key and CSR in the ssl-certs directory: 

# openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr 


Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above. 

If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate. 


This example assumes that you've named your certificate newcert.crt. You can name it anything you want. 

IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)

1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt 

2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation. 

# echo -e "
" >> /var/airwave/custom/ssl-certs/newcert.crt 

# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt 

3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files: 

# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt 
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key 
# ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem 


4. If you are getting the certificate signed by an internal CA, you would have to import the root CA certificate into the java trust store for visualRF to work correctly. To do that you need to execute the commands below:


# keytool -import -noprompt -trustcacerts -alias <give a name to identify the CA in the keytool>  -file <path/of the /cert/in/airwave/server>  -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit



[root@airwave tmp]# keytool -import -noprompt -trustcacerts -alias chaincert-lab -file /var/airwave/custom/ssl-certs/airwave-CertChain.crt -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit

Certificate was added to keystore


To verify:

[root@airwave tmp]# keytool -list -keystore "/usr/java/jre1.8.0_72/lib/security/cacerts" | grep chain

Enter keystore password:  changeit

chaincert-lab, May 2, 2016, trustedCertEntry,


Once done, restart the Visual RF Engine.



1. Once the CSR is created, you can verify if the CSR has the Subject Alternate Names by the below command

#openssl req -text -noout -in san_domain_com.csr

You should see some output like below. Note the Subject Alternative Name section:

Certificate Request:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example
Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Requested Extensions: X509v3
Basic Constraints: CA:FALSE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:,,
Signature Algorithm: sha1WithRSAEncryption

2. Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory. 

NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server. 

# nano /etc/httpd/conf.d/ssl.conf 

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



Jan 04, 2018 04:06 AM



is there any new guide for the CLI-Light Versions AirWave Management Platform and above? As the normal CLI is not available anymore, the import Certificate way is quite strange.. I cannot find the documentation about this new "feature"

Jan 30, 2017 05:23 PM

Thank you Laurent!

Jan 23, 2017 04:27 AM


It seems in Airwave 8.2.x the file order changed, here's what I had to do in order to make Poung accept the file.


Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave

<<<Your Server Certificate>>>
<<<Your private key >>>
<<<Your Intermediate Trust Autority Level Certificate>>>
<<<Your Trust Autority Top Level Certificate>>>


Restart Pound service by typing :
/etc/init.d/pound restart


Laurent Asselin


Oct 20, 2016 04:54 PM

I wondered if that was the issue too.  We're running, and I see that is available.  I'm not clear on how to upgrade though. This makes it sound really simple, but it doesn't recognize the start_amp_upgrade command.

Oct 20, 2016 04:37 PM

What version of AirWave are you running?

Oct 20, 2016 02:38 PM

After failing to get our certificate working with these instructions, the ones above did the trick.

However, when we navigate to the Airwave interface, we still get a red exclamation point.  Clicking this, I see the following (in Chrome):


Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

How can we fix this?

Aug 30, 2016 07:42 PM

Has this changed now in 8.2?

Oct 16, 2015 06:30 AM



We've been facing an issue with the way "pound" (the reverse proxy that handle SSL for Airwave Server) handle Certificate file.

It seems the order in wich certificates and the private key is really important for pound to start.

Else you get this error :

/etc/init.d/pound restart

Starting Pound: starting...
/etc/pound.cfg line 14: SSL_CTX_use_PrivateKey_file failed - aborted


In order to fix this, we had to verifiy the composition of the ssl.pem file (and especially the order):

Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave :


<<<Your Server Certificate>>>



<<<Your private key >>>



<<<Your Trust Autority Top Level Certificate>>> (tips : most CA use 4096 RSA keys, so this should be the longest certificate ;)



<<<Your Intermediate Trust Autority Level Certificate>>>




Restart Pound service by typing : 

/etc/init.d/pound restart


And you're done ! 




Laurent Asselin,  Jean-Charles Bervoet and Regis Deroff.

Exer Group