Using External Certificates

You can manage the EAP-TLS certificates either by generating your own self-signed certificates or obtaining certificates from a trusted Certificate Authority (CA) such as Microsoft Certificate Authority.

To configure your authentication server for EAP-TLS using external certificates, perform the following:

  1. Generate the new EAP-TLS certificates.
    Note: Note down the password used to encrypt the client key. You will need to enter this password for the Client Key Password property.
  2. Download the server certificates to your authentication server.
  3. Copy the Root CA certificate, the client certificate, and the client key to the vocera\config\gen3\badge\res\certificates\EAP-TLS and vocera\config\gen5\badge\data\res\certificates\EAP-TLS folder for B3000n and v5000 respectively, on the Vocera Voice Server and the configuration computer.
    Note: The certificates for the device must be in PEM format.
  4. Rename the files with the following names:
    • rootca_cert―The root CA certificate
    • client_cert―The client certificate
    • client_key―The client-key
  5. Add username to your authentication server database that the badges will use for authentication. Choose any password for this user.
  6. Run the Badge Properties Editor on the configuration computer.
  7. For B3000 and B3000n, click Security, and specify the following badge properties:
    • Authentication—EAP-TLS

    • Use Custom EAP-TLS Certificates—checked

    • Encryption—TKIP-WPA or AES-CCMP

  8. For V5000, click Security, and specify the following badge properties:
    • Authentication—WPA-EAP

    • EAP Method—TLS
    • Use Custom EAP-TLS Certificates—checked

    • Encryption—CCMP or TKIP

  9. Save the badge.properties file, and copy it to your Vocera Voice Server computers.
  10. Stop and start the Vocera Voice Server.
    Vocera devices are automatically updated, and are authenticated with the authentication server.
    Note: To use unique certificate for the device, use the certificate generation tool that is provided with the BCU.