Using External Certificates

You can manage the EAP-TLS certificates either by generating your own self-signed certificates or obtaining certificates from a trusted Certificate Authority (CA) such as Microsoft Certificate Authority.

To configure your authentication server for EAP-TLS using external certificates, perform the following:

  1. Generate the new EAP-TLS certificates.
    Note: Note the password used to encrypt the client key. You will need to enter this password for the Client Key Password property.
  2. Download the server certificates to your authentication server.
  3. Copy the Root CA certificate, the client certificate, and the client key to the %VOCERA_DRIVE%\vocera\config\gen3\badge\res\certificates\EAP-TLS folder on the Vocera Voice Server and the configuration computer.
    Note: The certificates for the client (badge) side must be in PEM format.
  4. Rename the files with the following names:
    File Description

    rootca_cert

    This file is a root CA certificate.

    client_cert

    This file is a client certificate.

    client_key

    This file is a client private key.

  5. Add a username to your authentication server database that the badges will use for authentication. Choose any password for this user.
  6. Run the Badge Properties Editor on the configuration computer.
  7. Click Security, and specify the following B3000n and B3000 badge properties:
    • Authentication—EAP-TLS

    • Use Custom EAP-TLS Certificates—checked

    • User Name—Username created on the authentication server

    • Client Key Password—Password used to encrypt the client key

    • Encryption—TKIP-WPA or AES-CCMP

  8. Save the badge.properties file, and copy it to your Vocera Voice Server computers.
  9. Stop and start the Vocera Voice Server.
    B3000n and B3000 badges are automatically updated, and are authenticated with the authentication server.
    Note: To use unique certificate per B3000 and B3000n badges, use the certificate generation tool that is provided with the BCU.