Avalanche 6.X and Certificates

Version 7

    Verified Product Versions

    Wavelink Avalanche 6.1Wavelink Avalanche 6.0




    Avalanche 6.x requires an SSL certificate for secure communication for all styles of Smart Devices. This document is designed as a quick reference guide as well as general data repository for details on certificates. This will be a living document that will get updated frequently with relevant data. You can also find valuable information within our help documentation: http://help.wavelink.com/docs/help/en_US/AVA/6.1/Avalanche/Install/GeneratingInstallingCertificates.htm


    Environment: iOS



    For secure communication for iOS devices, please see the following articles:


    Environment: Android


    Android devices are much easier to setup and use. This is due to a more robust environment provided by Android


    Style of certs allowed:

    • Third party signed (preferred for security and ease of use)
    • Self-Signed


    Third Party Certs



    Third Party Signed certs for Android should be generated with a full certification Chain of Trust. For example:



    Within this certification path we can see the cert path from our domain all the way to the Cert Authority.


    If you have multiple layers of Certificate Authorities, please ensure they are added to the cert.

    Avalanche will support PFX/P12 certs. PFX certs were designed as a Microsoft Extension whereas the P12 was designed for Netscape. Previously these certs were extremely different but with modern versions of these certs they have become identical, meaning they will work the same way.


    If you have concerns about one cert type or another you should be able to rename the file extension and the certificate will work the same.


    PLEASE BE AWARE: Ivanti does not have a preferred CA. Though it should be pointed out some CA’s have easier Cert tools than others.


    Self Signed Certs


    We have multiple methods to assist with creating a self-signed cert. It must be pointed out that a self-signed cert will have limitations when it comes to replacing the certificate. Because the keys will be different from self-signed to self-signed you will need to re-enroll a device when it is about to expire. This will be a manual process requiring someone to touch each device to re-register. You will also be required to use a pin code or pattern lock screen on each of the devices. Finally, you will be unable to use the bulk enrollment feature.



    It should be pointed out that as of enabler for android we have began increasing the security of the Avalanche Android Enabler. This means we have become more strict in how we work with certs and you can see issues in your environment that were not previously there. This is only seen with self signed certs.


    We will provide a certificate troubleshooting guide at a later time


    Common Issues with certs

    1. E com.wavelink.android.ans.AbstractPrioritizedANSSocketThread: Failed getting socket stream for host FQDN, Reason:com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate not valid until Mon Feb 13 00:00:00 GMT+00:00 2017 (compared to Sun Jan 22 19:41:23 GMT+00:00 2017)
      • The device must have a date within the valid window of the certificate
    2. Unable to resolve host "FQDN": No address associated with hostname:Unable to resolve host "FQDN": No address associated with hostname
      • This is resolved by adding a Subject Alternate Name
      • also has been resolved by updating server.crt Install Cert Failed
    3. E/com.wavelink.android.webservices.TransportThread(1607): 2014-09-11 21:10:22.96 No peer certificate
      • Cert does not contain full chain
      • also has been resolved by updating server.crt Install Cert Failed


    Splashtop Certificates:

    Splashtop Center accepts PFX (Personal Information Exchange) format for SSL certificates.


    Just like the SDS you must have a full chain of trust and have a password for your certificate.


    More information to come!