Certificate Considerations for ALEOS and AirLink Manager Communication

Commencing with AMM 2.17.5, an SSL certificate can be installed under Admin > System > Upload Certificate. See Upload System Certificate for more details on this process.

Depending on the ALEOS firmware version, there are a number of CA’s root certificate pre-loaded in ALEOS firmware for your convenience.

From ALEOS 4.17, it is now possible to side-load any CA’s root certificate if it is not already included on the list (including private root certificate).

If you want to use a root certificate for AMM server communication which is not already pre-loaded in ALEOS 4.16+, this root certificate must be side-loaded across the entire fleet manually in ACEmanager. There is no automated process for this capability.

All ALEOS gateways should be upgraded to version 4.17+ before attempting a switch or update to the internal or recently supported public CAs. During the switch from a pre-loaded SSL cert to another CA or private cert, the managment tunnel will be down. Once the new SSL certificate is installed on the AMM server and its corresponding root certificate is side-loaded in ACEmanager, the management tunnel connection will be restored.

To circumvent the potential for on-site upgrades or truck rolls, it is important to give extra attention to AMM 2.17.3+ deployments where firmware updates are constrained to the management tunnel(SWUpgradeMgmtTunnelOnly = yes) and where it may not be possible to enable direct HTTP/HTTPS updates, even if they are supported. If you have any questions, please contact Technical Support.

Note: DNS naming resolution must be enabled on the router network.

The following table can be used for previous versions of ALEOS firmware.

Certificate Authority	ALEOS Version
	4.15	4.16+
IdenTrust		✅
DigiCert		✅
Sectigo (previously known as Comodo)	✅	✅
Let’s Encrypt		✅
GoDaddy Group (Starfield, GoDaddy)	✅	✅
GlobalSign		✅
Entrust		✅