How do I certify HTTPS connections to my Codian MCU?
Available Languages
Introduction
This article relates to the Cisco TelePresence MCU 4203, Cisco TelePresence MCU MSE 8420, Cisco TelePresence MCU 4505, Cisco TelePresence MCU MSE 8510 and Cisco TelePresence Advanced Media Gateway 3610 products.
Q. How do I certify HTTPS connections to my Codian MCU?
A. From Codian MCU version 2.3 onwards, if you have the Secure management (HTTPS) or Encryption feature key installed, the MCU supports secure HTTP connections (HTTPS) for the web interface. While this allows all traffic between the user and MCU to be encrypted, administrators enabling this should replace the supplied certificate and private key with their own, to allow the identity of the MCU to be authenticated. Note that you can only have one certificate per MCU.
In order to create a private key and certificate pair, using OpenSSL (for example):
If necessary install the Secure management (HTTPS) or Encryption feature key.
Go to Network > Services and open the ports.
Connect to the MCU using HTTPS accepting the temprary certificate issued by us.
On your computer install OpenSSL*. This is available by default on many Unix/Linux systems, and can be downloaded for Windows from (at the time of writing): http://www.slproweb.com/products/Win32OpenSSL.html
In a command window, go to the directory in which OpenSSL was installed, for example C:\OpenSSL\bin.
Generate an RSA private key using the command below. This command generates a file called 'privkey.pem' which is your private key. TANDBERG recommends this key be at least 2048 bits long. If this private key will be stored anywhere apart from on the MCU, it should be protected by a passphrase: you are prompted to enter this passphrase twice. > openssl genrsa -des3 -out privkey.pem 2048
Create a certificate based on this private key using one of the commands below. For testing and internal use, this certificate can be self-signed, but for maximum security it should be signed by a certificate authority. To create a self-signed certificate (a file called cert.pem) use: > openssl req -new -x509 -key privkey.pem -out cert.pem -days 1000 Or for a certificate request to be sent to a certificate authority use: > openssl req -new -key privkey.pem -out cert.csr Both of these commands prompt for a number of attributes. The common name must match the host name or IP address of the MCU on which it will be installed.
If you are using chained certificates, the chained certificates, in pem format, must be appended to the end of the unit's certificate. This can be done in two ways: by copying and pasting in a text editor, or using something such as the cat unix command (e.g. cat cert.pem authority.pem > chained.pem). Then upload the created file.
On the MCU go to Network > SSL certificates.
For Certificates, click Browse and find the certificate you created (this is in the directory you used previously). If you created a self-signed certificate, the certificate is called cert.pem. For one signed by a certificate authority, choose the signed certificate that they have supplied.
For Private key, select the privkey.pem file.
For Private key encryption password, enter the passphrase used when generating the private key (if any).
Click Upload certificate and key. If the upload is a success, the local certificate information is updated to that of the new certificate, and a warning appears on the header of the web interface to prompt you to restart the MCU.
Go to Settings > Shutdown and restart the MCU.
After it has restarted, connect to the web interface using HTTPS. If you used a self-signed certificate, ignore the warning messages.
Confirm that the correct certificate is being used. To do this: - In Firefox: right-click on the page, choose View Page Info. Click on the Security tab, and click View. - In Internet Explorer: right-click on the page, choose Properties. Click on Certificates.
* TANDBERG is not responsible for the content of third party web sites
Related Information
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)