Where can I find the most up to date SSL certificates for the USP MTP layer?
The CDRouter USP (TR-369) expansion includes a “server” certificate file which
can be used for SSL/TLS testing. The certificate is distributed in .pem
format and is located in the /usr/cdrouter/tests directory on the CDRouter
host system.
Sectigo/Comodo Signed Server Certificates
The current USP “server” certificate may be used for both the MTP (Message Transport Protocol) layer and the USP record layer.
For the MTP layer, it will be used for which ever method is configured: WebSockets, STOMP, or MQTT.
Sectigo Root CA
The “server” certificate is signed by a Sectigo (formerly Comodo) Root CA. Your USP agent should hopefully have this Root CA already installed in its certificate store, but if it does not, we have also included it on your CDRouter system. You would need to manually copy it to the device where your TR-369 (USP) agent is located.
For more information on the Sectigo Chain Hierarchy and Intermediate Roots, please see this page.
Current USP controller certificates
The USP controller certificate used in CDRouter is valid for one year and expires every year in January or early February.
Updated controller certificates will be included in new versions of CDRouter
when available. If you are using an older version of CDRouter with expired
certificates, you may download the current valid certificates below and copy
them to the /usr/cdrouter/tests directory on your CDRouter system.
| Certificate Type | Signature Algorithm | File | Expiration Date |
|---|---|---|---|
| USP “server” certificate | ecdsa (SHA256) | wildcard.cdroutertest.com.pem | January 23, 2026 |
| Intermediate CAs (2) | ecdsa (SHA384) | wildcard.cdroutertest.com-ca.pem | December 31, 2030 |
| Root CA | rsa (SHA1) | wildcard.cdroutertest.com-rootca.pem | December 31, 2028 |
Note: This certificate chain uses ECC encryption.
Certificate chain with SHA384 Root CA
Some devices may require using a Root CA with a more secure signature algorithm. For these devices an alternate chain using a Root CA with a SHA384 signature with ECC encryption is available in the following table:
| Certificate Type | Signature Algorithm | File | Expiration Date |
|---|---|---|---|
| Intermediate CA | ecdsa (SHA384) | wildcard.cdroutertest.com-ca-sha384.pem | December 31, 2030 |
| Root CA | ecdsa (SHA384) | wildcard.cdroutertest.com-rootca-sha384.pem | January 18, 2038 |
Note: In the above table, the full chain has a length of three (3). The Intermediate CA file contains a single Intermediate certificate.
Note: This chain uses the same USP “server” certificate that is in the product. Only the intermediate and root are different.
