You can add certificates from the device's local web interface. Alternatively, you can add certificates by running API commands. To see which commands allow you to add certificates, see .

Service certificates and trusted CAs

Certificate validation may be required when using TLS (Transport Layer Security). A server or client may require that the device presents a valid certificate to them before communication is set up.

The certificates are text files that verify the authenticity of the device. These certificates must be signed by a trusted certificate authority (CA). To verify the signature of the certificates, a list of trusted CAs must reside on the device. The list must include all CAs needed in order to verify certificates for both audit logging and other connections.

Certificates are used for the following services: HTTPS server, SIP, IEEE 802.1X, and audit logging. You can store several certificates on the device, but only one certificate is enabled for each service at a time.

On RoomOS October 2023 and later, when you add a CA certificate to a device, it is also applied to a Room Navigator if one is connected. To sync the previously added CA certificates to a connected Room Navigator, you must reboot the device. If you don't want the peripherals to get the same certificates as the device it's connected to, set the configuration Peripherals Security Certificates SyncToPeripherals to False.

Previously stored certificates are not deleted automatically. The entries in a new file with CA certificates are appended to the existing list.

For Wi-Fi connection

We recommend that you add a trusted CA certificate for each Board, Desk, or Room Series device, if your network uses WPA-EAP authentication. You must do this individually for each device, and before you connect to Wi-Fi.

To add certificates for your Wi-Fi connection, you need the following files:

  • CA certificate list (file format: .PEM)

  • Certificate (file format: .PEM)

  • Private key, either as a separate file or included in the same file as the certificate (file format: .PEM)

  • Passphrase (required only if the private key is encrypted)

The certificate and the private key are stored in the same file on the device. If authentication fails, the connection will not be established.

Private key and passphrase are not applied to connected peripherals.


From the customer view in , go to the Devices page, and select your device in the list. Go to Support and launch Local Device Controls .

If you have set up a local Admin user on the device, you can access the web interface directly by opening a web browser and typing in http(s)://<endpoint ip or hostname>.


Navigate to Security > Certificates > Custom > Add Certificate and upload your CA root certificate(s).


On openssl, generate a private key and certificate request. Copy the content of the certificate request. Then paste it to request the server certificate from your certificate authority (CA).


Download the server certificate signed by your CA. Ensure that it is in .PEM format.


Navigate to Security > Certificates > Services > Add Certificate and upload the private key and the server certificate.


Enable the services that you want to use for the certificate you just added.