Links

AIR SSL Enforcement

Overview

In order to improve the overall security posture of AIR, accessing AIR over HTTPS is mandatory.
For this reason, it is required that all existing users obtain an SSL certificate issued by a valid public Certificate Authority before updating their instances.
As a fallback to ensure system continuity, you can also use the unique self-signed certificate issued automatically by AIR, either temporarily or as a permanent solution.
IMPORTANT NOTE: Port 443 should be allowed inbound on your AIR console instance.

How does it work?

  • A unique Root CA (self-signed) and shares the public key of this with the endpoint agents upon their first connection to the AIR console.
  • Then an SSL certificate is issued by this Root CA for agent-console communication.
  • This SSL certificate is only used by the endpoint agents and is not available to other applications on your assets for security reasons.

My browser displays a warning message when I use the automatically created SSL certificate. What should I do?

Self-signed certificates are provided for business continuity purposes and we strongly suggest using an SSL certificate that is issued by a trusted Root CA. Until you obtain a valid certificate, you can follow the workarounds for major browsers listed below:

What if I already use a valid certificate?

During the update, AIR will still create a unique Root CA for your instance and share the public key with the agents. If you already use AIR with a valid SSL certificate, a new SSL certificate will not be issued, and your current certificate will continue to be used.

What happens if I update with a self-signed/invalid/unverified/expired certificate installed?

In this case, the old certificate will be saved locally on the AIR console for backup purposes and AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.

What if I haven't installed any certificates yet?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.

What if I'm installing AIR now for the first time?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the agents. From this point on, an SSL certificate that is issued using this Root CA will be used for agent-console communication.