search
Back to binalyze.com

SSL Enforcement

hashtag
Overview

In order to improve the overall security posture of AIR, accessing AIR over HTTPS is mandatory.

For this reason, it is required that all existing users obtain an SSL certificate issued by a valid public Certificate Authority before updating their instances.

As a fallback to ensure system continuity, you can also use the unique self-signed certificate issued automatically by AIR, either temporarily or as a permanent solution.

IMPORTANT NOTE: Port 443 should be allowed inbound on your AIR console instance.

hashtag
What Happens When Using a Private Root Certificate Authority (CA)

When the AIR Console is configured to use a TLS certificate issued by a private Root Certificate Authority (CA), all client components must explicitly trust that Root CA. This applies to:

  • All browsers accessing the AIR Console

  • All assets where the AIR Responder is installed

The Root CA certificate must be securely distributed and added to the trusted certificate store of each browser and asset. This ensures TLS validation succeeds and secure communication with the AIR Console can be established without errors.

circle-exclamation

If the private Root CA is not trusted on assets running the Responder, TLS certificate validation will fail. As a result, Responders will be unable to register with the AIR Console and will remain disconnected due to certificate trust errors.

hashtag
How does it work?

  • A unique Root CA (self-signed) and shares the public key of this with the asset responders upon their first connection to the AIR console.

  • Then an SSL certificate is issued by this Root CA for responder-console communication.

  • This SSL certificate is only used by the asset responder and is not available to other applications on your assets for security reasons.

hashtag
My browser displays a warning message when I use the automatically created SSL certificate. What should I do?

Self-signed certificates are provided for business continuity purposes and we strongly suggest using an SSL certificate that is issued by a trusted Root CA. Until you obtain a valid certificate, you can follow the workarounds for major browsers listed below:

hashtag
What if I already use a valid certificate?

During the update, AIR will still create a unique Root CA for your instance and share the public key with the responders. If you already use AIR with a valid SSL certificate, a new SSL certificate will not be issued, and your current certificate will continue to be used.

hashtag
What happens if I update with a self-signed/invalid/unverified/expired certificate installed?

In this case, the old certificate will be saved locally on the AIR console for backup purposes and AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.

hashtag
What if I haven't installed any certificates yet?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.

hashtag
What if I'm installing AIR now for the first time?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.

PreviousTrust Center: Your Security and Compliance HubNextSSL Certificate Management

Last updated

Was this helpful?