How do I certify HTTPS connections to my Cisco TelePresence MCU?
From Cisco TelePresence MCU version 2.3 onwards, if you have the Secure management (HTTPS) or Encryption feature key installed, the MCU supports secure HTTP connections (HTTPS) for the web interface. While this allows all traffic between the user and MCU to be encrypted, administrators enabling this should replace the supplied certificate and private key with their own, to allow the identity of the MCU to be authenticated. Note that you can only have one certificate per MCU.
In order to create a private key and certificate pair, using OpenSSL (for example):
- If necessary install the Secure management (HTTPS) or Encryption feature key.
- Go to Network > Services and open the secure web port.
- Connect to the MCU using HTTPS. You will receive a warning message indicating that the certificate provided by the MCU is not trusted.
- On your computer install OpenSSL*. This is available by default on many Unix/Linux systems, and can be downloaded for Windows from (at the time of writing): http://www.slproweb.com/products/Win32OpenSSL.html
- In a command window, go to the directory in which OpenSSL was installed, for example C:\OpenSSL\bin.
- Generate an RSA key pair using the command below.
> openssl genrsa -des3 -out MCU.key 2048
This command generates a single file called ‘MCU.key' which contains the public and private keys of the MCU. For security reasons, Cisco recommends that all keys be at least 2048 bits long. If the file will be stored anywhere apart from on the MCU, it should be protected by a passphrase. You are prompted to enter this passphrase twice.
- Create a certificate signing request to be sent to a certificate authority:
> openssl req -new -key MCU.key -out MCU.csr
This command will prompt for a number of attributes. The common name must match the host name or IP address of the MCU on which it will be installed. The certificate will only be valid when a client connects to the MCU using the common name provided.
For testing purposes and internal use, a self-created certificate authority may be used to sign the request. For maximum security, however, it is recommended that you submit the signing request to a well-known certificate authority instead. If you have chosen to do this then go step 11.
- Generate an RSA key pair for the self-created certificate authority:
> openssl genrsa -des3 -out CA.key 2048
- Create a root certificate for the self-created certificate authority:
> openssl req -new -x509 -key CA.key -out CA.cer -days 365
This command will prompt for a number of attributes. Ensure that the common name is different from that supplied previously.
When complete, install CA.cer as a root certificate in your client’s web browser. This allows the browser to trust certificates signed by the self-created authority.
- Sign the certificate using the self-created certificate authority:
> openssl x509 -req -in MCU.csr -CA CA.cer -CAkey CA.key -set_serial 01 -out MCU.cer
This creates a file called ‘MCU.cer’ which is the signed certificate for use by the MCU.
- On the MCU go to Network > SSL Certificates.
- For Certificate click Choose File and locate the signed certificate. If you followed steps 8 to 10 , the certificate is called MCU.cer. Alternatively, if your certificate was signed by a well-known authority, choose the signed certificate that they supplied.
- For Private key select the MCU.key file.
- For Private key encryption password, enter the passphrase used when generating the private key (if any).
- Click Upload certificate and key.
If the upload is successful, the local certificate information is updated to that of the new certificate, and a warning appears on the header of the web interface to prompt you to restart the MCU.
- Go to Settings > Shutdown and restart the MCU.
- After the MCU has restarted, connect to the web interface using HTTPS. You should not receive a warning message.
- Confirm that the correct certificate is being used. To do this:
- In Firefox: right-click on the page, choose View Page Info. Click on the Security tab, and click View.
- In Internet Explorer: right-click on the page, choose Properties. Click on Certificates.
- In Google Chrome: left-click on the padlock in the address bar.
* Cisco TelePresence is not responsible for the content of third party web sites
This article applies to the following products:
- Cisco TelePresence MCU 4200 / MSE 8420
- Cisco TelePresence MCU 4500
- Cisco TelePresence MSE 8510 blade
- Cisco TelePresence Advanced Media Gateway 3600
|February 7th, 2012||TAA_KB_157|