Add or Replace a Signed Certificate on an Airwall Gateway for Conductor Communication

By default, the Airwall Gateways come with a Tempered factory-installed certificate. You can add your own custom CA certificate to use for Conductor communication.

Supported Versions
2.2.10 Airwall Gateways and Conductor
Supported on these Airwall Edge Services
Airwall Gateways
Note: When you are in the process of replacing a certificate, the Airwall Gateway uses the existing certificate until the replacement is complete.
Note: For HA-paired Airwall Gateways, you can have a custom certificate on one or both.

Before you Begin

Before you can upload or replace a signed certificate, you need to have a CA certificate chain installed so that the Conductor can verify the certificates. For more information, see Install a Custom CA Certificate Chain.

Step 1: Request and copy a CSR (Certificate Signing Request) for the Airwall Gateway

Once you’ve installed CA certificates (see Install a Custom CA Certificate Chain), you can generate a Certificate Signing Request (CSR) to create a certificate (for example, with a PKI Registration Authority) for Airwall Gateway to Conductor Communication:

  1. In Conductor, open the Airwall Gateway for which you want to add a custom CA certificate.
  2. Go to Airwall gateway > PKI.
    Note: If the PKI tab is not visible, either the Conductor doesn't have custom CA certificate chain uploaded and you need to Install a Custom CA Certificate Chain, OR the Airwall version is not 2.2.10 or later.
  3. Select Get certificate.
    Airwall PKI tab New Certificate

    If you are replacing a certificate, open the Actions menu on the existing certificate and select Replace certificate.

    Action menu showing Replace certificate option
  4. If you're adding a new certificate, under Distinguished Name, enter the Identity (Distinguished Name) for the certificate. For example, /C=US/O=Tempered/OU=Dev/CN=cond.example.com
    New Conductor communication certificate dialog box asking for Distinguished name
    Note: If you’re replacing a certificate, the Distinguished name remains the same.
  5. Select Request CSR.
  6. Under CSR, select either Copy or Download to generate and get the CSR you need to get a signed certificate.
  7. Select Cancel to close the dialog, or leave it up while you get the signed certificate.

Step 2: Get a signed certificate

Use the CSR to request a new signed certificate. You can generate a new signed certificate using your organization’s own process, or with a public PKI Registration Authority.

  1. Submit the Certificate Signing Request (CSR) you copied or downloaded to your Enterprise PKI Registration Authority. They use it to create your certificates.
  2. When you get the certificates, download or copy them.

Step 3: Upload the signed certificate to the Airwall Gateway

  1. In Conductor, open the Airwall Gateway for which you have a custom CA certificate.
  2. Go to Airwall gateway > PKI.
  3. Open the Actions menu on the existing certificate and select Edit
  4. Under Signed Certificate, paste the custom-CA signed certificate to install the certificate on the Airwall Gateway.
    Edit Conductor communication certificate dialog where you past customer certificate
  5. Select Save.