Are you encountering security warnings when accessing AIR? Let's demystify the process of changing SSL certificates in AIR to ensure seamless and secure connections.

Understanding Self-Signed Certificates:

Many users wonder why they receive security warnings when accessing AIR. These warnings often stem from the use of self-signed certificates, which are SSL certificates created without a certificate authority. While self-signed certificates offer convenience, they lack the validation provided by certificate authorities, leading to "untrusted" status in browsers.

Navigating CSR and Certificate Authorities:

To obtain SSL/TLS certificates, organizations generate Certificate Signing Requests (CSRs) and submit them to certificate authorities (CAs) for validation. However, AIR does not handle CSRs due to identity verification complexities and associated fees. Instead, users are encouraged to create CSRs using tools like OpenSSL and obtain certificates from trusted CAs.

Importing Certificates into AIR:

To import corporate or self-signed certificates into AIR, users must establish the certificate chain, including the certificate itself, intermediate certificate, and root certificate. This process can be accomplished using a text editor and importing the combined certificate chain into the platform.

Clarifying Common Queries:

Properly posed questions, such as "How can I import my corporate certificate to AIR?" or "How can I upload my self-signed certificate to AIR?" help streamline the process. The answer lies in establishing the certificate chain and ensuring inclusion in clients' trusted root-certificates section for self-signed certificates.

Final Thoughts:

While SSL certificate management may seem complex, the tasks involved are straightforward. Support engineers need not possess extensive SSL knowledge, and consulting system administrator is always recommended for SSL-related tasks. By understanding these fundamentals, users can navigate SSL certificate changes with confidence in AIR.

Overview

In order to improve the overall security posture of AIR, accessing AIR over HTTPS is mandatory.

For this reason, it is required that all existing users obtain an SSL certificate issued by a valid public Certificate Authority before updating their instances.

As a fallback to ensure system continuity, you can also use the unique self-signed certificate issued automatically by AIR, either temporarily or as a permanent solution.

IMPORTANT NOTE: Port 443 should be allowed inbound on your AIR console instance.

How does it work?

• A unique Root CA (self-signed) and shares the public key of this with the asset responders upon their first connection to the AIR console.

• Then an SSL certificate is issued by this Root CA for responder-console communication.

• This SSL certificate is only used by the asset responder and is not available to other applications on your assets for security reasons.

My browser displays a warning message when I use the automatically created SSL certificate. What should I do?

Self-signed certificates are provided for business continuity purposes and we strongly suggest using an SSL certificate that is issued by a trusted Root CA. Until you obtain a valid certificate, you can follow the workarounds for major browsers listed below:

What if I already use a valid certificate?

During the update, AIR will still create a unique Root CA for your instance and share the public key with the responders. If you already use AIR with a valid SSL certificate, a new SSL certificate will not be issued, and your current certificate will continue to be used.

What happens if I update with a self-signed/invalid/unverified/expired certificate installed?

In this case, the old certificate will be saved locally on the AIR console for backup purposes and AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.

What if I haven't installed any certificates yet?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.

What if I'm installing AIR now for the first time?

AIR will issue a unique Root CA (self-signed) and share the public key of this Root CA with the responders. From this point on, an SSL certificate that is issued using this Root CA will be used for responder-console communication.