To use a certificate generated from a third party or another certificate authority (CA) a certificate signing request (CSR) needs to be generated.

This CSR can then be provided to the CA who can then create the certificate to use.

From the Configuration -> Site -> Features -> Phone Manager -> Certificates section select the "MCS SSL client certificate" and click on Edit. Enter the requested information into the relevant fields.


Common name
The fully-qualified external domain name of the MCS server.
This should be the Client Location Remote NAT IP Address/Hostname: address configured on your MCS server
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.<mydomain>.com.
Alternative names
Enter any alternative hostnames or IP addresses that may be used to connect to the server, for example the internal DNS name.
This must include the Client Location Local NAT IP Address/Hostname: address configured on your MCS server
Organisation
The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
Organisation unit
If applicable, enter the DBA (doing business as) name.
State / region
Name of the state or province where your organisation is located. Do not abbreviate.
City / locality
Name of the city where your organisation is registered/located. Do not abbreviate.
Country
The country where your organisation is legally registered.


Note: The certificate (even a wildcard one) needs to include either in the Common name or the Alternative name BOTH of the configured Local IP Address/Hostname: and NAT IP Address/Hostname: addresses in the Client Locations Configuration of your MCS server

Once complete click on the Download CSR file button. This will download a file called MCS_CertificateSigningRequest.csr that contains the CSR information, like that shown below.


-----BEGIN NEW CERTIFICATE REQUEST-----
MIID6TCCAtECAQAwUTEMMAoGA1UECwwDYXNkMQwwCgYDVQQKDANhc2QxCTAHBgNV
BAYTADEMMAoGA1UEBwwDYXNkMQwwCgYDVQQIDANhc2QxDDAKBgNVBAMMA2FzZDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYYymhzefrUTuuLQxjZopBX
xOVZiazFt2TGyRVvL7kq2J1vQST5aHM0x3VbTssq/JgT6KIa99U8k0LDGKEHvOrs
HtR6Ym2y70nm5ou96kVP1a8t1B2zbJDM8W4fth1Ns3BqPqPNe7GuybwzKZEYcFG7
/jbzNf6aU9SeXHG7wFL5H/caZJqsgJ4WmlHfwBqwNgQJJLiVcL2PLVgIJWasX543
om4V5bSy7AcMy6DnJYlkFjijffWH8Y1aI19eTJCLEIstpBHYL1JecAP+0aBsKi7+
VOk+E+RRHuVT8w/oGCPcnM4r5XEKCUk4ccQwGAUGrnOkGfRfBUbltt7HuYjNtEsC
AwEAAaCCAVEwGgYKKwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMFcGCSsGAQQBgjcV
FDFKMEgCAQUMF3hhci11ay1kZXYwMi5YYXJpb3MuTmV0DBdYQVJJT1NORVRcWEFS
LVVLLURFVjAyJAwRQ1MuV0NGU2VydmljZS5leGUwZgYKKwYBBAGCNw0CAjFYMFYC
AQIeTgBNAGkAYwByAG8AcwBvAGYAdAAgAFMAdAByAG8AbgBnACAAQwByAHkAcAB0
AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADByBgkqhkiG9w0B
CQ4xZTBjMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEwYDVR0RBAwwCoIDYXNkggNhc2QwHQYDVR0OBBYEFId7bOuIH9Yoi7fA
IKSeqZrBuPLvMA0GCSqGSIb3DQEBBQUAA4IBAQBSFRCeUY/5HvGhcua8nEqq5lej
Z3pP+jkEgo2xCaJ7MXLQ+4uYCY0dBwzJ8I15+SrYSMmvbo8agRsvQeF5ntJTXIou
FBHul0rTCs7VUPyfwqzYc89Jg85PmDJklKoCzXHdJX/F7iH21BGtMhKpr41VXRug
KjG82ggWP5w0pfTadE9dGC5ga+MHfsWqS6SQsYbY6lyOfGMhc7d4DbgXWYpcV54N
eFwBTQPURSH6aw/N0k3kiXzKC82BtuyKtKiwk5E3309we17K0KuSRcDxSKS+pUGQ
ccvhR3x5++RX496X+nGU9VZ19V/csITUFL3OZAecRMBGCvxrm9iGjJjCkVNx
-----END NEW CERTIFICATE REQUEST-----


Follow the relevant process from the CA that is being used to create the certificate. The certificate needs to be Base64 encoded

Once the certificate has been received, this then needs to be uploaded back into the server. From the Configuration -> Site -> Features -> Phone Manager -> Certificates section select the "MCS SSL client certificate" and click on Edit.


As you have already completed the information when you created the CSR – just select the Next button and using the Choose Files button select the certificate file and then click on Save.

The new certificate will take effect


Note: If you change the certificate your Android mobile clients will get a popup on connection to trust the new certificate

If you use a certificate from a trusted CA then you no longer need to have a copy of the server certificate installed on the client