Creating certificates for Codian MCUs

If you want to use HTTPS (without the annoying browser certificate warnings) or MTLS with a Codian MCU, you’ll need to install a certificate on the MCU.

Remember that you’ll need the “Encryption” release key to enable SSL in any form. This is a free key that kan be ordered from TAC.

Under Network -> SSL certificates, you’ll find this screen:

Certificate config

So we need to provide a certificate and a private key corresponding to the certificate, which means that we need to create a CSR and import both the key and the certificate to the MCU.

I’ll show how to do this using openSSL and a Windows CA. If there is an OCS/Lync implementation in the environment, you could use the wizard to create the cert, but you would have to split it up with something like openSSL afterwords anyway, so the easiest thing is just to create it all with openSSL.

openSSL can be found for almost any platform, I use openSSL for win32 

Create the CSR

Use this command to create the CSR

openssl req -new -newkey rsa:2048 -nodes -out <name_of_the_cert>.csr -keyout <name_of_the_key_file>.key -
subj "/C=<countrycode>/ST=<state>/L=<City>/O=<Organisation>/OU=<Organisational Unit>/CN=<fqdn.of.mcu>"

Exchange all the <variables> with the correct values.

This should create two files, <name_of_the_cert>.csr and <name_of_the_key_file>.key and place them in the same directory as you run the command.

Create the cert

Copy the .csr file to the CA. In a cmd window, navigate to the folder you copied the .csr to and run:

certreq -submit -attrib "CertificateTemplate: WebServer" <name_of_the_cert>.csr

If the CA is configured to issue certs automagiacally, you should have be asked where to save the .cer. If not, you’ll have to open the CA MMC snapin and issue the cert manually.

Add the cert to the MCU

Back on the MCU, browse to the .cer in the Certificate field and the .key in the Private Key field. Leave the password field empty. Restart the MCU and you should be good to go.

Creating a trust store

The trust store to be uploaded needs to be in .pem format. Export the root certificate you need to trust to a DER encoded file. (normally .cer) and run the following command:

openssl x509 -inform der -in <rootcert>.cer -out <rootcert>.pem

<rootcert>.pem can be uploaded as the trust store. 

2 thoughts on “Creating certificates for Codian MCUs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s