Links

AIR SSL Enforcement

Overview

In previous releases of Binalyze AIR, the communication between the agents and console has been over HTTP by default.
In order to improve the overall security posture of AIR, from version 2.5 accessing AIR over HTTPS becomes mandatory.
For this reason, it is required that all existing users obtain an SSL certificate issued by a valid public Certificate Authority before updating their instances.
As a fallback to ensure system continuity, you can also use the unique self-signed certificate issued automatically by AIR, either temporarily or as a permanent solution.
IMPORTANT NOTE: Port 443 should be allowed inbound on your AIR console instance before upgrading to version 2.5.
RELEASE DATE: Version 2.5 will be officially released on May 16th, 2022 for our existing customers. If you want to download and install it before the official release date, you can follow the instructions here.

How does it work?

  • Version 2.5 creates a unique Root CA (self-signed) and shares the public key of this with the endpoint agents upon their first connection to the AIR console.
  • Then an SSL certificate is issued by this Root CA for agent-console communication.
  • This SSL certificate is only used by the endpoint agents and is not available to other applications on your assets for security reasons.

My browser displays a warning message when I use the automatically created SSL certificate. What should I do?

Self-signed certificates are provided for business continuity purposes and we strongly suggest using an SSL certificate that is issued by a trusted Root CA. Until you obtain a valid certificate, you can follow the workarounds for major browsers listed below:

What if I already use a valid certificate?

During the update, AIR will still create a unique Root CA for your instance and share the public key with the agents. If you already use AIR with a valid SSL certificate, a new SSL certificate will not be issued, and your current certificate will continue to be used.

What happens if I update with a self-signed/invalid/unverified/expired certificate installed?

In this case, the old certificate will be saved locally on the AIR console for backup purposes and AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.

What if I haven't installed any certificates yet?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.

What if I'm installing AIR now for the first time?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.