Local Network Access (LNA) Web Server Certificate support

Devices with CollabOS version 1.13 or above can now use the Web Certificate for Local Network Access. This feature allows customers to replace the original Logitech self-signed LNA Webserver certificate with their own certificate and private key.

Prerequisite

A CollabOS device running version 1.13.0 or higher
Certificate requirements:
1. A PKCS#8 RSA private key without password protection
2. Both DER and PEM formats are acceptable for the certificate and key
Local Network Access is necessary to upload the certificate

Step 1: Network Configuration

It is recommended to make sure that the CollabOS device is on a fixed IP address. Using LNA, go to Connectivity -> Network Connection, and expand the TCP/IP details, confirm that the Configuration is “Static” (This can also be configured via your dhcp server, using a reservation or static lease)

Next make sure that the hostname is configured for the device. Go to About -> Device Info -> Hostname. Fill in the hostname for the device.

Using the Hostname and the IP Address of the CollabOS device, set up DNS on your local DNS server.

Step 2: Create the LNA Certificate

A certificate with a private key is needed for this step. At this point a certificate can be obtained from a public Certificate Authority but a self signed certificate will work as long as your browser has access to the Certificate Authority (CA) and the CA key is installed as a Trusted CA on the computer you are running the browser from. A self signed certificate is the recommended approach as this is not a publicly accessible CollabOS device and will be on a local IP address. You can use either a host certificate, that is used for only one CollabOS device, or you can use a wildcard certificate. A wild card certificate would be suggested if setting up a large number of CollabOS devices.

Option 1:

One approach for this is using the OpenSSL tool. For creating a self signed certificate using OpenSSL tool in Download from Link, The CA cert and key files will also be needed in the same directory as the certificates that are created.

Generate a private key for the CollabOS device.

openssl genrsa -out VC-MTR1-Key.pem 4096

Generate a certificate request using your local CA private key.
openssl req -new -sha256 -subj "/CN=vc-mtr1" -key VC-MTR1-Key.pem -out VC-MTR1-Request.csr
Create an extfile.cnf file that will have the host name and IP address of the CollabOS device.
Create the Certificate
openssl x509 -req -sha256 -days 365 -in VC-MTR1-Request.csr -CA CA-Cert.pem -CAkey CA-key.pem -out VC-MTR1-Cert.pem -extfile extfile.cnf -CAcreateserial
Enter the password for the CA key file:

The certificate and the key file will be in the working directory and ready to be uploaded to the CollabOS device.

Option 2:

Another approach is using a Windows Certificate Authority, creating a template and issuing the certificate from the template. You will sign the certificate and import it so you can export it. The OpenSSL tool will still be used to isolate the private key.

On the Windows Server Certificate Authority, open the Certificate Templates MMC.
1. Run: mmc
2. Click File > Add/Remove Snap-in
3. Double Click “Certificate Templates” snap-in and click “OK”
Right-click on the Web Template> Duplicate
On the “General” tab fill in a Template Display Name “CollabOS LNA Certificate” and check the “Validity Period”, I have selected 5 years

On the Request Handling Tab, check "Allow private key to be exported", then click "OK".

Open the Certificate Authority management tool:
1. Run: mmc
2. Click "File", then "Add/Remove Snap-in"
3. Double-click "Certificate Authority" snap-in
4. Click "OK"
5. Select "Local Computer"
6. Click "Finish"
7. Click "OK"
Expand your server, right-click on the "Certificate Templates" folder, click "New", then "Certificate Template to Issue".
Select “CollabOS LNA Certificate” and click “OK”
Open the Internet Information Services (IIS) Manager to generate a Certificate Signing Request (CSR)
1. Run: “inetmgr”
2. Click on your server
3. Double click on “Server Certificates” in the middle pane
4. Click on “Create Certificate Request” on the right pane
5. Enter the required organizational and server information in the Distinguished Name Properties dialog box, click Next
6. Choose a Cryptographic service provider (CSP) and bit length, here we selected 4096
7. Click “Next”
8. Name the request file (e.g., "CollabOS_Wildcard.txt") and save it to a secure location
Submit the CSR to Microsoft Active Directory Certificate Services:
1. Navigate your web browser to “http://<servername>/certsrv”
2. Navigate to "http://<servername>/certsrv" in your web browser
3. Click "Request a certificate"
4. Click "Advanced certificate request"
5. In the "Base-64-encoded" box, paste the entire contents of "CollabOS_Wildcard.txt", including the "BEGIN NEW CERTIFICATE REQUEST" and "END NEW CERTIFICATE REQUEST" lines
6. Set "Certificate Template" to "CollabOS LNA Certificate"
7. In "Additional Attributes", add any desired SAN attributes (e.g., "san:dns=dns.name"
8. Click “Submit”
9. Click on “Download certificate”
10. Save to a secure place.
11. Install the Certificate on the local machine
12. Double click on the certificate that you saved
13. Click on “Install Certificate”
14. Click on “Local Machine”
15. Click “Next”
16. Click “Place all certificates in the following store”
17. Click “Browse”
18. Select “Personal” and click “OK”
19. Click “Next” and click “Finish”
Export the Certificate
1. Run: mmc
2. Click “File”, then “Add/Remove Snap-in”
3. Double Click “Certificates” snap-in
4. Select “Computer account”
5. Click “Next”
6. Select “Local computer”
7. Click “Finish”
8. Click “OK”
9. Click on “Certificates (Local Computer)”
10. Expand “Personal”
11. Click on “Certificates”
12. Right click on your certificate, click on “All Tasks” and click “Export”
13. In the Export Wizard, click “Next”, select “No”, click “Next”, select “DER”, click “Next”
14. Give it a file name, and save to a secure location, click “Next”, click “Finish”
15. Now export the certificate again by right clicking on your certificate, click on “All Tasks” and click “Export”
16. In the Export Wizard, click “Next”, select “Yes”, click “Next”, select “Personal Information Exchange”, click “Next”
17. Set a password, select the encryption, click "Next"
Give it a file name, and save to a secure location, click “Next”, click “Finish”

10. Extract your private key from the pfx file using the OpenSSL tool

For extracting a self signed certificate using OpenSSL tool in Download from Link
open SSL command to get private key from .pfx certificate
Open a command prompt, navigate to the location of the pfx file
Run the following command:

openssl pkcs12 -in yourfile.pfx -nocerts -out priv-key.pem -nodes

It will ask for the password you used to export the pfx file
The .pem file will be in the same directory you are working in

Option 3:

Another approach is using a Windows Certificate Authority, without creating a template and just creating the key from your certificate mmc. You will sign the certificate and import it so you can export it. The OpenSSL tool will still be used to isolate the private key.

Open the “Certificate” mmc
1. Run: mmc
2. Click “File”, then “Add/Remove Snap-in”
3. Double Click “Certificates” snap-in
4. Select “My User account”
5. Click “Finish”
6. Click “OK”
7. Click on “Certificates (Current User)”
8. Right click on “Personal”, select “All Tasks”, select “Advanced Operations”, click on “Create Custom Request”
9. Click “Next” , select “Proceed without enrollment policy”, click “Next”
10. Confirm “Request format:” is “PKCS #10”, click “Next”
11. Expand “Details” drop down, click on “Properties”
12. Fill out the Friendly name: host.domain.com (or *.domain.com)
13. Click on the “Subject” tab.
14. Click on “Type” dropdown and select “Common name”, and fill out as the “Value:” to domain.com, click “Add”
15. Fill out the other “Types” for Organization, Country and State as a minimum
16. Under “Alternative name” select “Type” “DNS” with a “Value” of “host.domain.com” (or *.domain.com) and click “Add”
17. Click on the “Extensions” tab, expand the “Key usage” section
18. Click on “Digital signature” and click “Add”
19. Click on “Key encipherment” and click “Add”
20. Expand the “Extended Key Usage” section
21. Click on “Server Authentication” and click “Add”
22. Click on the “Private Key” tab
23. Expand the “Key options” section and change the key length to “4096” and check “Make private key exportable”
24. Click “OK”
25. Click “Next”
26. Give it a file name, and save to a secure location, select “Binary” click “Next”, click “Finish”
Open the Microsoft Active Directory Certificate Services

Navigate your web browser to “http://<servername>/certsrv”
Click on “Request a certificate”
Click on “advanced certificate request”
In the “Base-64-encoded” box paste the complete contents of the file you saved “CollabOS_Wildcard.txt” be sure to include everything from the header “-----BEGIN NEW CERTIFICATE REQUEST—--” through the footer “-----END NEW CERTIFICATE REQUEST—--”
Change the “Certificate Template” to “CollabOS LNA Certificate”
In the “Additional Attributes” box type any desired SAN attributes, such as “san:dns=dns.name”

Click “Submit”
Click on “Download certificate”
Save to a secure place.

3. Install the Certificate on the local machine

Double click on the certificate that you saved
Click on “Install Certificate”
Click on “Local Machine”
Click “Next”
Click “Place all certificates in the following store”
Click “Browse”
Select “Personal” and click “OK”
Click “Next” and click “Finish”

4. Export the Certificate

Run: mmc
Click “File”, then “Add/Remove Snap-in”
Double Click “Certificates” snap-in
Select “Computer account”
Click “Next”
Select “Local computer”
Click “Finish”
Click “OK”
Click on “Certificates (Local Computer)”
Expand “Personal”
Click on “Certificates”
Right click on your certificate, click on “All Tasks” and click “Export”
In the Export Wizard, click “Next”, select “No”, click “Next”, select “DER”, click “Next”
Give it a file name, and save to a secure location, click “Next”, click “Finish”
Now export the certificate again by right clicking on your certificate, click on “All Tasks” and click “Export”
In the Export Wizard, click “Next”, select “Yes”, click “Next”, select “Personal Information Exchange”, click “Next”

Check the password field and give it a password, Select the Encryption, click “Next”

Give it a file name, and save to a secure location, click “Next”, click “Finish”

5. Extract your private key from the pfx file using the OpenSSL tool

For extracting a self signed certificate using OpenSSL tool in Download from Link
open SSL command to get private key from .pfx certificate
Open a command prompt, navigate to the location of the pfx file
Run the following command:

openssl pkcs12 -in yourfile.pfx -nocerts -out priv-key.pem -nodes

It will ask for the password you used to export the pfx file
The .pem file will be in the same directory you are working in

Step 3: Uploading the Certificate

In the Local Network Access setup interface, select System Settings -> More Settings -> LNA Web Server Certificate
Click upload and select the certificate file and Private Key that you created in the previous section, then click Upload.
The file will be uploaded and then the device will reboot automatically after saving the changes.
You will need to restart the web browser to see the valid certificate.
Note: Uploading an incorrect file can disrupt Local Network Access functionality. To restore Access, you must perform a factory reset on the CollabOS device.