(ARCHIVED) airControl - How to Install SSL Certificate for the airControl Server

This article has been archived.

This article is current to the last version of airControl, but will not be updated further since airControl has been retired.

This article describes the process of installing an SSL certificate for airControl.

Table of Contents

  1. Introduction
  2. Steps: Installing an SSL Certificate
  3. Related Articles


Back to Top

This article assumes the user already has a trusted cetificate as .pfx/.p12 file. If user has the certificate in another format, like .crt for example, it is necessary to convert it to .pfx (find a tutorial of how to do so here). Take note of the password for the certificate; it will be used when generating the key store. A java keytool application that comes with Java JDK will be needed.

Steps: Installing an SSL Certificate

Back to Top

NOTE:In the instructions below, you will see bolded text found between these symbols: < >. They are placeholders you must substitute with the corresponding information of your own system. Replace the complete bolded text, including the symbols (< >). 

1. Create a new aircontrol.keystore file. Use the following commands to create a new aircontrol.keystore file:

<JDK installation directory>/bin/keytool -importkeystore -deststorepass '<my_keystore_password>' -destkeypass '<destination_key_password>' -destkeystore aircontrol.keystore -srckeystore <trusted_cetificate_file.p12> -srcstoretype PKCS12 -srcstorepass '<p12_file_password>' -alias <aircontrol> 

In the table below each element of the command is explained:



deststorepass The password for your generated key store. Later we will obfuscate it and add it to the airControl web server configuration.
destkeypass The password for the key that will be stored in keystore. Make sure to save this password for future reference.
srcstorepass  The password of you existing trusted certificate file.
alias The -name attribute value you used when converting to .pfx/.p12 format. 
User Tip:Remember to use strong passwords for both my_keystore_password and destination_key_password.

2. Override existing keystore file with the one you just created. After the aircontrol.keystore file is generated, override the existing keystore file in <airControl installation directory>/web/etc with new one.

3. Update airControl web server to use new keystore. The next step will be to update the airControl web server (Jetty) configuration in order to use the new keystore.

4. Obfuscate my_keystore_password using the following command:

java -cp <airControl installation directory>/lib/jetty-all-<version>.jar org.eclipse.jetty.util.security.Password 'my_keystore_password'
NOTE:jetty-all-<version>.jar should be replaced by the actual jar file name located in lib directory (e.g. jetty-all-9.4.1.v20170120.jar). 

5. Replace OBF string

After you run the command in step 4, you will see the text output containing <OBF:xxxxxxxx> string. Go to <AirControl install dir>/web/etc directory and modify jetty-ssl.xml file, in the following way:

Replace OBF:xxxxxxxx with newly obfuscated in the following lines:

<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:xxxxxxx"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:xxxxxxx"/></Set>

6. Restart server and test by logging in from a web browser.

ATTENTION:Make sure you make a backup of <AirControl install dir>/web/etc after every successful setup, in case it's overwritten by mistake.

Related Articles

Back to Top

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
0 out of 0 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community