Cisco Cisco TelePresence MCU 4510 Maintenance Manual
Configuring SSL certificates
The MCU supports certificate-based user authentication over HTTPS, and is capable of mutual TLS
authentication with the client. The client presents a certificate, signed by a certificate authority (CA), which
the MCU trusts if it recognizes the CA from its trust store. Similarly, the client requests the MCU's local
certificate and checks the signing CA against its own trust store.
authentication with the client. The client presents a certificate, signed by a certificate authority (CA), which
the MCU trusts if it recognizes the CA from its trust store. Similarly, the client requests the MCU's local
certificate and checks the signing CA against its own trust store.
To manage the MCU's local certificate and its trust stores for HTTPS and SIP TLS, and optionally to
configure OCSP checks (Online Certificate Status Protocol) for HTTPS connections, go to
configure OCSP checks (Online Certificate Status Protocol) for HTTPS connections, go to
Network > SSL
certificates
.
The SSL certificates page is also used to allow or enforce certificate-based login in place of standard,
password-based login. Any attempts to authenticate with a revoked certificate are recorded in the MCU's
password-based login. Any attempts to authenticate with a revoked certificate are recorded in the MCU's
Audit log
.
In this topic:
n
n
n
n
n
n
n
n
Prerequisites
You should have your own local certificate and trust store(s), which must be in .pem format (Base64 encoded
text).
text).
HTTPS access to the web user interface requires the following prerequisites:
n
The Secure management (HTTPS) or Encryption feature key must be installed on the MCU.
n
HTTPS must be enabled on the
Network > Services
page.
To make SIP TLS calls between the MCU and remote parties requires the following prerequisites:
n
The Encryption feature key must be installed on the MCU.
n
A SIP username and password that are known by the registrar must be added to the
Settings > SIP
page.
n
The Encrypted SIP (TLS) checkbox on the
Network > Services
page should be checked, for either IPv4
or IPv6, or both (depending on your requirements).
n
The Use local certificate for outgoing connections and registrations checkbox should be checked if
your environment dictates that the SIP registrar must receive the MCU's certificate.
your environment dictates that the SIP registrar must receive the MCU's certificate.
Caution: A local certificate and private key are pre-installed on the MCU and are used by default for HTTPS
access. As all MCUs have identical default certificates and keys, to ensure security we recommend that you
replace it with your organization's own certificate and private key (see below).
access. As all MCUs have identical default certificates and keys, to ensure security we recommend that you
replace it with your organization's own certificate and private key (see below).
Cisco TelePresence MCU Series 4.5 Online Printable Help
Page 265 of 278
Advanced topics
Configuring SSL certificates