Configuring BCU for EAP-TLS with Unique Certificates

The BCU provides benefits beyond loading badge firmware and updates to the badge properties file.

Although not necessarily recommended, you can use the BCU to accept PFX (PCKS12) client certificate files and convert them to a PEM format, which is supported by Vocera devices. This is achieved by using the MAC address referenced on the certificate file name, so that certificates are pushed to the provisioned device.

To update the badge properties, perform the following steps:

  1. Open Badge Properties Editor:
    • For B3000 and B3000n, click Security configure the following settings:
      • Authentication―EAP-TLS
      • Use Custom EAP-TLS Certificates―Checked
      • User Name―<Enter username>
      • Client Key Password―<Enter password>
      • Encryption―AES-CCMP or TKIP-WPA
      • Configure the remaining values for your badge properties
      • Click OK
    • For V5000, click Security and configure the following settings:
      • AuthenticationWPA-EAP

      • EAP MethodTLS
      • Use Custom EAP-TLS CertificatesChecked

      • EncryptionCCMP or TKIP

      • Configure the remaining values for your badge properties
      • Click OK
  2. Run the bcu_certs.bat from %vocera_drive%\vocera\config.
    Press any key to continue after the command prompt window appears. For each certificate located in the certs\files folder, you will be prompted to enter the pfx’s import password if an import password has been set.
    Note: If the wrong import password is entered, the script will continue to run and the certificate will not be converted. You will need to rerun the program again.
  3. After all the passwords are entered, the Badge Configuration Utility starts up automatically and Vocera devices can be provisioned.
    The badge certificates are converted from pfx format to PEM format and are located in their own mac address folder at: %vocera_drive%\vocera\config\certs\badges. PFX certificates can be removed from the certs/files folder after conversion. The converted certificates are kept and will be loaded automatically when the BCU is restarted.