Creating certificates for Codian MCUs

If you want to use HTTPS (without the annoying browser certificate warnings) or MTLS with a Codian MCU, you’ll need to install a certificate on the MCU.

Remember that you’ll need the “Encryption” release key to enable SSL in any form. This is a free key that kan be ordered from TAC.

Under Network -> SSL certificates, you’ll find this screen:

Certificate config

So we need to provide a certificate and a private key corresponding to the certificate, which means that we need to create a CSR and import both the key and the certificate to the MCU.

I’ll show how to do this using openSSL and a Windows CA. If there is an OCS/Lync implementation in the environment, you could use the wizard to create the cert, but you would have to split it up with something like openSSL afterwords anyway, so the easiest thing is just to create it all with openSSL.

openSSL can be found for almost any platform, I use openSSL for win32 

Create the CSR

Use this command to create the CSR

openssl req -new -newkey rsa:2048 -nodes -out <name_of_the_cert>.csr -keyout <name_of_the_key_file>.key -
subj "/C=<countrycode>/ST=<state>/L=<City>/O=<Organisation>/OU=<Organisational Unit>/CN=<fqdn.of.mcu>"

Exchange all the <variables> with the correct values.

This should create two files, <name_of_the_cert>.csr and <name_of_the_key_file>.key and place them in the same directory as you run the command.

Create the cert

Copy the .csr file to the CA. In a cmd window, navigate to the folder you copied the .csr to and run:

certreq -submit -attrib "CertificateTemplate: WebServer" <name_of_the_cert>.csr

If the CA is configured to issue certs automagiacally, you should have be asked where to save the .cer. If not, you’ll have to open the CA MMC snapin and issue the cert manually.

Add the cert to the MCU

Back on the MCU, browse to the .cer in the Certificate field and the .key in the Private Key field. Leave the password field empty. Restart the MCU and you should be good to go.

Creating a trust store

The trust store to be uploaded needs to be in .pem format. Export the root certificate you need to trust to a DER encoded file. (normally .cer) and run the following command:

openssl x509 -inform der -in <rootcert>.cer -out <rootcert>.pem

<rootcert>.pem can be uploaded as the trust store. 

Tandberg TCAP Day 3

Todays topic is The Tandberg Codian MCU 4500 series

I do not know anything about the codian at all, so today will be purely lecture notes. The references to pages are pages in the course material.

The main difference between the 4500 series and the 4200 series is the amount of DSP chips. Also the 4200 has no support for Tandberg Codian ClearVision and if you want to have a higher resolution than CIF, you need to order an upgrade option.

ClearVision is described on page 16, but allows video media to be enhanced by up to 4 times the original resolution.

The 4200 uses an additional port for streaming. The 4500 does not. See amount of ports on page 22.

The codian MCU has two types of prefixes, a service prefix which is the same as on the MPS, but it also has a prefix that will register the full number on the gatekeeper. This can be used if you have a border controller and are allowing calls from the outside, by denying outside callers to call your internal conferences that are using your service prefix, but allow calls to external conferences which uses the GK registration prefix.

All conferences need to have a unique name, and it cannot be the same as old conferences either. It is therefore important to purge old conferences from time to time.

On versions 2.0 and older, you have to do a factory reset to recover a lost password, see page 88. On version 2.1 and newer, there is a reset password command on the console interface, see page 86.

And I passed the test 😀 I am now Tandberg TCAP!