How to install CA signed certificates on ClickShare CX-series and C-series (SSL)

Article number: [5994] - Legacy code: [5994]

Applicable to

From ClickShare firmware v2.12 and onwards, custom certificates for HTTPS can be uploaded to the ClickShare Base Unit. CA signed certificates replace the default self-signed ClickShare certificates for better compliance with company policies and have the advantage that privacy errors when browsing the ClickShare Configurator can be avoided. To see if your certificate is working, you must access the Clickshare Base unit using a fully qualified DNS name, otherwise, there will not be a process initiated to verify the certificate (accessing via IP will not produce the "green" or locked indication).

CA = certificate authority (public or private)

CSR = certificate signing request

Info! Installing custom certificate on CS-100(H) and CSE-200/200+/800 Base Units (how to: see KB 2593).

ClickShare supports HTTPS SSL with two modes 1) per base unit and 2) wildcard (per sub-domain)

A per base unit certificate is more secure than a wildcard certificate but labor intensive for large enterprises.

How to create and upload the per base unit custom certificate. As a sidenote, when a ClickShare is initially configured, a private key is generated internally by the base unit, this is embedded in the CSR generated for the CA.

  1. Login to your ClickShare Base Unit Configuration page.
  2. Navigate to Security > Passwords > HTTP encryption and click Setup HTTP encryption...
  3. Click the radio button Create Certificate Signing Request and then click the Generate CSR button.
  4. Enter the following details to create a Certificate Signing Request (CSR): 
    • Domain name
    • Organization (optional)
    • Department / Organization Unit (optional)
    • Locality / City (optional)
    • State / Province (optional)
    • Country (optional)
  5. Click the Download button to download the custom certificate request (CSR).
    This CSR needs to be provided to the Certificate Authority (usually via email), the CA will return a certificate (or a list of certificates from a public CA - a public CA provider will typically include intermediate CA's) in the return email The resulting certificate needs to be uploaded to the device to activate it.  See step 9 on how to use a list of certificates that come from a CA using intermediate CA authorities.
    Chain_of_trust_v2.svg.png 
  6. Navigate to Security > Passwords > HTTP encryption and click Setup HTTP encryption...
  7. Click the radio button Use a custom certificate and then click the Upload certificate button.
  8. Enter your passphrase (optional) and then click Save changes to install the custom certificate on your ClickShare Base Unit.

If there are intermediate nodes in the SSL chain then place the Clickshare base unit as the top entry in the cert, then the intermediates, plus finally the root.
Prepare the public certificates for the import.
- place all the certificates into a single directory to make things easier
- open the text editor of your choice
- copy/paste all the provided certificates into this text editor
- the certificates must be in order; if the CA does not identify which certificate s the root/intermediate/BU (base unit)  --> you will need to open each certificate individually using Windows  certificate manager: (note, there could be multiple intermediate CA's).  Look for the "Issued to" line.
image003.png  
place them in this order:

-----BEGIN CERTIFICATE-----
{Base Unit cert}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{intermediate CA cert}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{root cert}
-----END CERTIFICATE-----

The ClickShare base unit is expecting a text file with either a .pem or .pfx extension (.pem is recommended), save the text file in your editor with this format.  Your certificate is now ready for import.  pfx is an encrypted file format requiring a password to open.

How to create and upload the wildcard custom certificate.

  1. If you want to use a wildcard certificate, the Clickshare Base Unit does not create this type of CSR.
  2. In addition to the certificate information above, a Private/Public key pair must also be generated. The Private Key is suggested to be added at the bottom of the concatenated key file).  When ClickShare was initially started, it generated a private key for only itself --> this initial private key cannot be used for a wildcard certificate (Barco keeps the initial key private).
    The private key will have this format: 
    -----BEGIN PRIVATE KEY-----
    {private key}
    -----END PRIVATE KEY----- 
  3. Using the CSR tool of your choice, we need to generate a private key that matches a public key.  The public key is embedded into the CSR to the CA.  I like the one below as it generates both at the same time. To create the wildcard certificate, create the Common Name (CN) with the sub-domain you are placing the base units into. Like this example: *.clickshare.lab.com  --> the star results in the wildcard certificate.  The other fields are optional, however, the CA may request you complete other fields.
    https://cheapsslsecurity.com/ssltools/csr-generator.php
    When you tap generate CSR, both files will be presented to you. Download them both in a secure location, keep the private key in a secure location.  This is the CSR you send to the CA.
    If you desire a more trusted site, it is possible to use a Microsoft solution:  https://stackoverflow.com/a/38363589
  4. The CA may ask you for a DNS txt record, this verifies you are who you say you are and sets the sub-domain for the wildcard certificate.  The CA will typically ask you for a DNS text record, then ask you to change it - proving you own the domain. (similar to confirming your email address by clicking a link in an email sent to you)
  5. You now have the information required for a wildcard certificate that can be deployed to all ClickShare's in a specific sub-domain (assuming the CA sent you the additional certificates in email.
  6. Follow the same steps as above (pickup from bullet 5 downwards) to create the single text file that is uploaded to all ClickShare's in the sub-domain. Do not forget any intermediate CA's.
  7. see KB 2549 for information related to wildcard certificates.
  8. To deploy the certificate on a enterprise scale, ClickShare has an embedded API.
    IMPORTANT: This is a clear text key, anyone can see your private key, use a tool like https://certificatetool.com/ssl-converter/pem/pem-to-pfx to encrypt the key, DO NOT lose the password, or you will need to start again.  Deploy the encrypted key.
  9.  This URL will display the active certificate on a ClickShare base unit: (you will be prompted in a pop up to enter the admin account of the ClickShare). 

    https://xxx.xxx.xxx.xxx:4003/v2/configuration/https

    To access the API, please go to WIFI and Network/services/API of a ClickShare base unit, this will have the API documentation for your details on the API commands.
    The request body of the API needs to contain the URL of the completed wildcard certificate and the encrypted password. You can use whatever method you like to distribute the key.

Info! For more information on certificates, refer to your Base Unit installation manual (how to: see KB9362).

Properties

Last updated Aug 5, 2025