Adding or Replacing a Signed Certificate on an Airwall Gateway for Conductor communication

Prerequisites

Before you can upload or replace a signed certificate, you need to have a CA certificate chain installed so that the Conductor can verify the certificates. For more information, see Installing a Custom CA Certificate Chain.

By default, the Airwall Gateways come with a Tempered factory-installed certificate. You can add your own custom CA certificate to use for Conductor communication.
Note: When you are in the process of replacing a certificate, the Airwall Gateway uses the existing certificate until the replacement is complete.
Note: For HA-paired Airwall Gateways, you can have a custom certificate on one or both.

Requesting and copying a CSR (Certificate Signing Request) for the Airwall Gateway

Once you have installed CA certificates (see Installing a Custom CA Certificate Chain), you can generate a Certificate Signing Request (CSR) to create a certificate (for example, with a PKI Registration Authority) for Airwall Gateway to Conductor Communication:
  1. In Conductor, open the Airwall Gateway to which you want to add a custom CA certificate.
  2. Go to Airwall gateway > PKI.
    Note: If the PKI tab is not visible, either the Conductor does not have custom CA certificate chain uploaded and you need to complete Installing a Custom CA Certificate Chain.
  3. Select Get certificate.
    Airwall PKI tab New Certificate

    If you are replacing a certificate, open the Actions menu on the existing certificate and select Replace certificate.

    Action menu showing Replace certificate option
  4. If you are adding a new certificate, under Distinguished Name, enter the Identity (Distinguished Name) for the certificate. For example, /C=US/O=Tempered/OU=Dev/CN=cond.example.com
    New Conductor communication certificate dialog box asking for Distinguished name
    Note: If you are replacing a certificate, the Distinguished name remains the same.
  5. Select Request CSR.
  6. Under CSR, select either Copy or Download to generate and get the CSR you need to get a signed certificate.
  7. Select Cancel to close the dialog, or leave it up while you get the signed certificate.

Getting a signed certificate

Use the CSR to request a new signed certificate. You can generate a new signed certificate using your organization’s own process, or with a public PKI Registration Authority.

  1. Submit the Certificate Signing Request (CSR) you copied or downloaded to your Enterprise PKI Registration Authority. They use it to create your certificates.
  2. When you get the certificates, download or copy them.

Uploading the signed certificate to the Airwall Gateway

  1. In Conductor, open the Airwall Gateway for which you have a custom CA certificate.
  2. Go to Airwall gateway > PKI.
  3. Open the Actions menu on the existing certificate and select Edit
  4. Under Signed Certificate, paste the custom-CA signed certificate to install the certificate on the Airwall Gateway.
    Edit Conductor communication certificate dialog where you past customer certificate
  5. Select Save.