You can add certificates from the device's local web interface. Alternatively, you can add certificates by running API commands. To see which commands allow you to add certificates, see roomos.cisco.com .

Service certificates and trusted CAs

Certificate validation may be required when using TLS (Transport Layer Security). A server or client may require that the device presents a valid certificate to them before communication is set up.

The certificates are text files that verify the authenticity of the device. These certificates must be signed by a trusted certificate authority (CA). To verify the signature of the certificates, a list of trusted CAs must reside on the device. The list must include all CAs needed in order to verify certificates for both audit logging and other connections.

Certificates are used for the following services: HTTPS server, SIP, IEEE 802.1X, and audit logging. You can store several certificates on the device, but only one certificate is enabled for each service at a time.

On RoomOS October 2023 and later, when you add a CA certificate to a device, it is also applied to a Room Navigator if one is connected. To sync the previously added CA certificates to a connected Room Navigator, you must reboot the device. If you don't want the peripherals to get the same certificates as the device it's connected to, set the configuration Peripherals Security Certificates SyncToPeripherals to False.


Previously stored certificates are not deleted automatically. The entries in a new file with CA certificates are appended to the existing list.

For Wi-Fi connection

We recommend that you add a trusted CA certificate for each Board, Desk, or Room Series device, if your network uses WPA-EAP authentication. You must do this individually for each device, and before you connect to Wi-Fi.

To add certificates for your Wi-Fi connection, you need the following files:

  • CA certificate list (file format: .PEM)

  • Certificate (file format: .PEM)

  • Private key, either as a separate file or included in the same file as the certificate (file format: .PEM)

  • Passphrase (required only if the private key is encrypted)

The certificate and the private key are stored in the same file on the device. If authentication fails, the connection will not be established.


Private key and passphrase are not applied to connected peripherals.

Add certificates on Board, Desk, and Room Series devices

1

From the customer view in https://admin.webex.com , go to the Devices page, and select your device in the list. Go to Support and launch Local Device Controls .

If you have set up a local Admin user on the device, you can access the web interface directly by opening a web browser and typing in http(s)://<endpoint ip or hostname>.

2

Navigate to Security > Certificates > Custom > Add Certificate and upload your CA root certificate(s).

3

On openssl, generate a private key and certificate request. Copy the content of the certificate request. Then paste it to request the server certificate from your certificate authority (CA).

4

Download the server certificate signed by your CA. Ensure that it is in .PEM format.

5

Navigate to Security > Certificates > Services > Add Certificate and upload the private key and the server certificate.

6

Enable the services that you want to use for the certificate you just added.

Simple Certificate Enrollment Protocol (SCEP)

Simple Certificate Enrollment Protocol (SCEP) provides an automated mechanism for enrollment and refreshing certificates that are used for for example 802.1X authentication on devices. SCEP allows you to maintain the device's access to secure networks without manual intervention.

  • When the device is new, or has been factory reset, it needs network access to reach the SCEP URL. The device should be connected to the network without 802.1X to obtain an IP address.

  • If using a wireless enrollment SSID, you need to go through the onboarding screens to configure the connection with the network.

  • Once you are connected to the provisioning network, the device doesn't need to be on a particular onboarding screen at this stage.

  • To fit all deployments, the SCEP Enrollment xAPIs will not store the CA certificate that is used to sign the device certificate. For server authentication, the CA certificate that is used to validate the server’s certificate needs to be added with xCommand Security Certificates CA Add.

Prerequisites

You need the following information:

  • SCEP Server's URL.

  • Fingerprint of the signing CA (Certificate Authority) certificate.

  • Information of the certificate to enroll. This makes up the Subject Name of the certificate.

    • Common name

    • Country name

    • Organization name

  • SCEP Server's challenge password if you have configured the SCEP Server to enforce an OTP or Shared Secret.

We send a certificate request that is valid for one year for certificate expiry. The server-side policy can change the expiry date during certificate signing.

Ethernet connection

When a device is connected to a network, make sure it can access the SCEP server. The device should be connected to a network without 802.1x to obtain an IP address. The device's MAC address may need to be provided to the provisioning network in order to obtain an IP address. The MAC address can be found on the UI or on the label at the back of the device.

After the device is connected to the network, you can SSH to the device as admin to access TSH, then run the following command to send the Enrollment SCEP Request: 
xCommand Security Certificates Services Enrollment SCEP Request

Once the SCEP Server returns the signed device certificate, activate the 802.1X and then reboot the device.

Activate the signed certificate:
xCommand Security Certificates Services Activate

Reboot the device after activating the certificate.

Wireless connection

When a device is connected to a wireless network, make sure it can access the SCEP server.

After the device is connected to the network, you can SSH to the device as admin to access TSH, then run the following command to send the Enrollment SCEP Request: 
xCommand Security Certificates Services Enrollment SCEP Request

Device receives the signed certificate from the SCEP server.

Activate the signed certificate: 

xCommand Security Certificates Services Activate
After activating, you need to configure the Wi-Fi network with EAP-TLS authentication. 
xCommand Network Wifi Configure

By default, the Wi-Fi configuration skips server validation checks. If only one-way authentication is required, then keep AllowMissingCA defaulted to True.

To force server validation, ensure that the AllowMissingCA optional parameter is set to False. If a connection cannot be established due to service validation errors, check that the correct CA has been added to verify the server certificate which may be different than the device certificate.

API descriptions

Role: Admin, Integrator

xCommand Security Certificates Services Enrollment SCEP Request

Requests and downloads a signed device certificate

Parameters:

  • URL(r): <S: 0, 128>

    SCEP server URL used to enroll a certificate.

  • Fingerprint (r): <S: 0, 128>

    The Issuing CA's Fingerprint that will sign the X509 Request.

  • ChallengePassword: <S: 0, 128>

    Shared Secret password set by the SCEP Server.

  • CommonName(r): <S: 0, 128>

  • CountryName: <S: 0, 128>

  • OrganizationName: <S: 0, 128>

  • SanDns[5]: <S: 0, 128>

  • SanEmail[5]: <S: 0, 128>

  • SanIp[5]: <S: 0, 128>

  • SanUri[5]: <S: 0, 128>

xCommand Security Certificates Services Enrollment SCEP Renewal Request

Create or update an autorenewal profile that is applied to all certificates issued by the given CA before the certificates expire

Parameters:

  • Fingerprint(r): <S: 0, 128>

    The issuing CA's fingerprint that signed the certificates.

  • URL(r): <S: 0, 128>

    SCEP server URL used to renew the certificates. 

xCommand Security Certificates Services Enrollment SCEP Renewal Delete

Remove the autorenewed profile for the given CA. This stops the certificates that are signed by this CA from autorenewing

Parameters:

  • Fingerprint(r): <S: 0, 128>

    The issuing CA's fingerprint to remove.

xCommand Security Certificates Services Enrollment SCEP Renewal List

List all currently used autorenew profiles.