Network Management

New Contributor

[How-to] Using Airwave GUI with a enterprise CA signed certificate

Hi community,


I was looking for a way to solve this and wanted to let you participate in my solution.


Scenario: We're running our AD based enterprise certificate authority and I'm looking to have most HTTPS webinterfaces running with a certificate from our CA. Our browsers have the root CA certificate deployed and so will trust all subordinate certificates. Out of the box Airwave runs with a self-signed certificate (I really hate saving exceptions for self-signed certificates in Firefox :-) ). Actually we're running Airwave but I'm confident that this applies to other versions too. The important steps are common OpenSSL operations. You should already have some knowledge about certificates and so on.


Step 1: Understanding the webserver. Airwave is using a reverse proxy server called pound which listens to port 443. Looking into the config at /etc/pound.cfg shows that there is a certificate in use located under /etc/httpd/conf/ssl.pem

Step 2: Grabbing the private key. The pre-deployed private key is located at /etc/pki/tls/private/localhost.key but is also included in the second half of certificate file /etc/httpd/conf/ssl.pem. You need this key for creating the certificate signing request (CSR)

Step 3: Creating the CSR. /usr/bin/openssl req -out -new -key /etc/pki/tls/private/localhost.key With this command you're going to create a CSR using the available private key. The following dialogue requires different information, most important the CN which is the FQDN of your Airwave server.

Step 4: Signing the certificate. You can now use the CSR to be signed at your private (respectively your enterprise CA) or public CA.

Step 5: Installing the certificate. You will need the certificate in PEM format (BASE64 encoded). For backup reasons please copy the existing certificate with something like this cp /etc/httpd/conf/ssl.pem /etc/httpd/conf/backup.pem. Now start editing the ssl.pem file. vi /etc/httpd/conf/ssl.pem The first part is the certificate, you can identify it with these start and end markers:



Replace the content within the markers with the equivalent from your new certificate.


Step 6: Restart pound. You're almost done. /etc/init.d/pound restart


Now you can access the Airwave webinterface and the certificate is issued by your enterprise CA.




Contributor I

Re: [How-to] Using Airwave GUI with a enterprise CA signed certificate

Or you can just follow the process that has been actually written by Aruba a while ago.



Occasional Contributor II

Re: [How-to] Using Airwave GUI with a enterprise CA signed certificate

Has this changed in Airwave 8.2.4?

I suspect pound has been replaced with something else, as there is no config file under /etc.

Can I "copy/paste" the above instruction to my 8.2.4?

Search Airheads
Showing results for 
Search instead for 
Did you mean: