You can add certificates from the device's local web interface. Alternatively, you can add certificates by running API commands. To see which commands allow you to add certificates, see roomos.cisco.com .

Service certificates and trusted CAs

Certificate validation may be required when using TLS (Transport Layer Security). A server or client may require that the device presents a valid certificate to them before communication is set up.

The certificates are text files that verify the authenticity of the device. These certificates must be signed by a trusted certificate authority (CA). To verify the signature of the certificates, a list of trusted CAs must reside on the device. The list must include all CAs needed in order to verify certificates for both audit logging and other connections.

Certificates are used for the following services: HTTPS server, SIP, IEEE 802.1X, and audit logging. You can store several certificates on the device, but only one certificate is enabled for each service at a time.

On RoomOS October 2023 and later, when you add a CA certificate to a device, it is also applied to a Room Navigator if one is connected. To sync the previously added CA certificates to a connected Room Navigator, you must reboot the device. If you don't want the peripherals to get the same certificates as the device it's connected to, set the configuration Peripherals Security Certificates SyncToPeripherals to False.

Previously stored certificates are not deleted automatically. The entries in a new file with CA certificates are appended to the existing list.

For Wi-Fi connection

We recommend that you add a trusted CA certificate for each Board, Desk, or Room Series device, if your network uses WPA-EAP authentication. You must do this individually for each device, and before you connect to Wi-Fi.

To add certificates for your Wi-Fi connection, you need the following files:

  • CA certificate list (file format: .PEM)

  • Certificate (file format: .PEM)

  • Private key, either as a separate file or included in the same file as the certificate (file format: .PEM)

  • Passphrase (required only if the private key is encrypted)

The certificate and the private key are stored in the same file on the device. If authentication fails, the connection will not be established.

Private key and passphrase are not applied to connected peripherals.

Add certificates on Board, Desk, and Room Series devices

1

From the customer view in https://admin.webex.com , go to the Devices page, and select your device in the list. Go to Support and launch Local Device Controls .

If you have set up a local Admin user on the device, you can access the web interface directly by opening a web browser and typing in http(s)://<endpoint ip or hostname>.

2

Navigate to Security > Certificates > Custom > Add Certificate and upload your CA root certificate(s).

3

On openssl, generate a private key and certificate request. Copy the content of the certificate request. Then paste it to request the server certificate from your certificate authority (CA).

4

Download the server certificate signed by your CA. Ensure that it is in .PEM format.

5

Navigate to Security > Certificates > Services > Add Certificate and upload the private key and the server certificate.

6

Enable the services that you want to use for the certificate you just added.

Simple Certificate Enrollment Protocol (SCEP)

Simple Certificate Enrollment Protocol (SCEP) provides an automated mechanism for enrollment and refreshing certificates that are used for example 802.1X authentication on devices. SCEP allows you to maintain the device's access to secure networks without manual intervention.

  • When the device is new, or has been factory reset, it needs network access to reach the SCEP URL. The device should be connected to the network without 802.1X to obtain an IP address.

  • If using a wireless enrollment SSID, you need to go through the onboarding screens to configure the connection with the network.

  • Once you are connected to the provisioning network, the device doesn't need to be on a particular onboarding screen at this stage.

  • To fit all deployments, the SCEP Enrollment xAPIs will not store the CA certificate that is used to sign the device certificate. For server authentication, the CA certificate that is used to validate the server’s certificate needs to be added with xCommand Security Certificates CA Add.

Prerequisites

You need the following information:

  • SCEP Server's URL.

  • Fingerprint of the signing CA (Certificate Authority) certificate.

  • Information of the certificate to enroll. This makes up the Subject Name of the certificate.

    • Common name

    • Country name

    • State or Province name

    • Locality name

    • Organization name

    • Organizational unit

  • The subject name will be ordered as /C= /ST= /L= /O= /OU= /CN=

  • SCEP Server's challenge password if you have configured the SCEP Server to enforce an OTP or Shared Secret.

You can set the required key size for the certificate request keypair using the following command . Default is 2048.


xConfiguration Security Enrollment KeySize: <2048, 3072, 4096>

We send a certificate request that is valid for one year for certificate expiry. The server-side policy can change the expiry date during certificate signing.

Ethernet connection

When a device is connected to a network, make sure it can access the SCEP server. The device should be connected to a network without 802.1x to obtain an IP address. The device's MAC address may need to be provided to the provisioning network in order to obtain an IP address. The MAC address can be found on the UI or on the label at the back of the device.

After the device is connected to the network, you can SSH to the device as admin to access TSH, then run the following command to send the Enrollment SCEP Request: 

xCommand Security Certificates Services Enrollment SCEP Request

Once the SCEP Server returns the signed device certificate, activate the 802.1X.

Activate the signed certificate:

xCommand Security Certificates Services Activate

Reboot the device after activating the certificate.

Wireless connection

When a device is connected to a wireless network, make sure it can access the SCEP server.

After the device is connected to the network, you can SSH to the device as admin to access TSH, then run the following command to send the Enrollment SCEP Request: 

xCommand Security Certificates Services Enrollment SCEP Request

Device receives the signed certificate from the SCEP server.

Activate the signed certificate: 

xCommand Security Certificates Services Activate

After activating, you need to configure the Wi-Fi network with EAP-TLS authentication. 

xCommand Network Wifi Configure

By default, the Wi-Fi configuration skips server validation checks. If only one-way authentication is required, then keep AllowMissingCA defaulted to True.

To force server validation, ensure that the AllowMissingCA optional parameter is set to False. If a connection cannot be established due to service validation errors, check that the correct CA has been added to verify the server certificate which may be different than the device certificate.

API descriptions

Role: Admin, Integrator

xCommand Security Certificates Services Enrollment SCEP Request

Sends a CSR to a given SCEP server for signing. The CSR SubjectName parameters will be constructed in the following order: C, ST, L, O, OUs, CN.

Parameters:

  • URL(r): <S: 0, 256>

    The URL address of the SCEP server.

  • Fingerprint(r): <S: 0, 128>

    CA Certificate Fingerprint that will sign the SCEP request CSR.

  • CommonName(r): <S: 0, 64>

    Adds "/CN=" to the CSR Subject Name.

  • ChallengePassword: <S: 0, 256>

    OTP or Shared Secret from the SCEP Server for access to sign.

  • CountryName: <S: 0, 2>

    Adds "/C=" to the CSR Subject Name.

  • StateOrProvinceName: <S: 0, 64>

    Adds "/ST=" to the CSR Subject Name.

  • LocalityName: <S: 0, 64>

    Adds "/L=" to the CSR Subject Name.

  • OrganizationName: <S: 0, 64>

    Adds "/O=" to the CSR Subject Name.

  • OrganizationalUnit[5]: <S: 0, 64>

    Adds up to 5 "/OU=" parameters to the CSR Subject Name.

  • SanDns[5]: <S: 0, 64>

    Adds up to 5 Dns parameters to the CSR Subject Alternative Name.

  • SanEmail[5]: <S: 0, 64>

    Adds up to 5 Email parameters to the CSR Subject Alternative Name.

  • SanIp[5]: <S: 0, 64>

    Adds up to 5 Ip parameters to the CSR Subject Alternative Name.

  • SanUri[5]: <S: 0, 64>

    Adds up to 5 Uri parameters to the CSR Subject Alternative Name.

xCommand Security Certificates Services Enrollment Profiles Delete

Deletes an enrollment profile to no longer renew certificates.

Parameters:

  • Fingerprint(r): <S: 0, 128>

    The unique Identifier for the certificate that is deleted. You can get the fingerprint ID by running:

     xCommand Security Certificates Services Show

xCommand Security Certificates Services Enrollment Profiles List

Lists Enrollment profiles for certificate renewal.


xCommand Security Certificates Services Enrollment SCEP Profiles Set
    Fingerprint(r): <S: 0, 128>
    URL(r): <S: 0, 256>

Add new certificate

Renewal


xCommand Security Certificates Services Enrollment SCEP Profiles Set

In order to automatically renew the certificate, the device needs to be able to access the SCEP Url that can resign the certificate.

Once daily, the device will check for certificates that will expire with 45 days. The device will then attempt to renew these certificate if their issuer matches a profile.

NOTE: All device certificates will be checked for renewal, even if the certificate wasn't originally enrolled using SCEP.

Navigator

  1. Direct Paired: Enrolled Certificates can be activated as "Pairing" certificate.

  2. Remote Paired: Tell the navigator to enroll a new SCEP certificate using the Peripheral's ID:

    xCommand Peripherals Security Certificates Services Enrollment SCEP Request 

    Enrollment profiles are automatically synchronized to paired navigator.

  3. Stand-alone Navigator: Same as codec enrollment