logo.gif MCU 4505
host: MCU

Configuring SSL certificates

If the MCU has the Secure management (HTTPS) or Encryption feature key installed, and you enable Secure web on the Network > Services page, you will be able to access the web interface of the MCU using HTTPS. The MCU has a local certificate and private key pre-installed and this will be used by default when you access the unit using HTTPS. However, we recommend that you upload your own certificate and private key to ensure security as all MCUs have identical default certificates and keys.

To upload your own certificate and key, go to Network > SSL certificates. Complete the fields using the table below for help and click Upload certificate and key. Note that you must upload a certificate and key simultaneously. After uploading a new certificate and key, you must restart the MCU.

If you have uploaded your own certificate and key, you can remove it later if necessary; to do this, click Delete custom certificate and key.


Note: A certificate and key are also required if you select to use the SIP TLS service in Network > Services.

The table below details the fields you see on the Network > SSL certificates page.

Field Field description Usage tips
Local certificate
Subject

The details of the business to which the certificate has been issued:

  • C: the country where the business is registered
  • ST: the state or province where the business is located
  • L: the locality or city where the business is located
  • O: the legal name of the business
  • OU: the organizational unit or department
  • CN: the common name for the certificate, or the domain name
 
Issuer

The details of the issuer of the certificate.

Where the certificate has been self-issued, these details will be the same as for the Subject.

Issued

The date on which the certificate was issued.

 
Expires

The date on which the certificate will expire.

 
Private key

Whether the private key matches the certificate.

Your web browser uses the SSL certificate's public key to encrypt the data that it sends back to the MCU. The private key is used by the MCU to decrypt that data. If the Private key field shows 'Key matches certificate' then the data is securely encrypted in both directions.

Local certificate configuration
Certificate

If your organization has bought a certificate, or you have your own way of generating certificates, you can upload it. Browse to find the certificate file.

 
Private key

Browse to find the private key file that accompanies your certificate.

 
Private key encryption password

If your private key is stored in an encrypted format, you must enter the password here so that you can upload the key to the MCU.

 
Trust store
Subject

The details of the business to which the trust store certificate has been issued:

  • C: the country where the business is registered
  • ST: the state or province where the business is located
  • L: the locality or city where the business is located
  • O: the legal name of the business
  • OU: the organizational unit or department
  • CN: the common name for the certificate, or the domain name

 

Issuer

The details of the issuer of the trust store certificate.

Where the certificate has been self-issued, these details will be the same as for the Subject.

Issued

The date on which the trust store certificate was issued.

 
Expires

The date on which the trust store certificate will expire.

 
Trust store

You can upload a 'trust store' of certificates that the MCU will use to verify the identity of the other end of a TLS connection.

If you have a trust store certificate on the MCU, you can delete it; to do so, click Delete trust store.

The trust store must be in '.pem' format.

Note that uploading a new trust store replaces the existing store.

Certificate verification settings

Choose to what extent the MCU will verify the identity of the far end for a connection:

  • No verification: all outgoing connections are permitted to proceed, even if the far end does not present a valid and trusted certificate.
  • Outgoing connections only: outgoing connections are only permitted if the far end has a certificate which is trusted.
  • Outgoing connections and incoming calls: outgoing connections and incoming connections for SIP calls using TLS must have a certificate which is trusted otherwise the MCU will not allow the connection to proceed.

 

The trust store contains 'master' certificates that can be used to verify the identity of a certificate presented by the far end.

Outgoing connections are connections such as SIP calls which use TLS.

 

Related topics