The PBX uses TLS in secure communication for HTTP and SIP traffic. This works only if the system has a pair of private keys and certificates. Depending on the direction of the communication, it needs to either present a certificate (e.g. web server) or trust certificates from other parties (e.g. when the PBX pulls information from other sites). The certificates that are loaded in the system can be seen on the certificate page. By clicking on the certificate icon you can view the certificate, and by clicking on the delete button you can remove the certificate from the system.
The PBX is able to present domain certificates, used in virtual hosting. If there is no domain certificate available, the PBX uses the system certificate. System certificates can be wildcard certificates.
When you visit the certificate page, the system lists the certificates that have been loaded into the system.
If you don't want to use certain certificates, you can select them in the list and then click on the button. In order to view a certificate, click on the icon next to the certificate. It wi8ll download the certificate. Your operating system will present the certificate for you. The private key cannot be downloaded through the web interface (if there was a private key uploaded with the certificate).
When importing certificates, the format of the certificate must be base64-encoded. Certificates must start with the text
----BEGIN CERTIFICATE---- and end with the text
----END CERTIFICATE----. If you want to import a certificate chain (along with the private key), you must put the certificate to be imported first, followed by zero, one or more intermediate certificates that the server should present later. Those intermediate certificates also go into the certificate import text area.
If you are uploading a domain or server certificate that should be presented to visitors, you must include the private key in the upload. The private key must also be base64-encoded and start with
----BEGIN RSA PRIVATE KEY---- (PKCS#1) or
----BEGIN PRIVATE KEY---- (PKCS#8, since version 5.4). Please note that uploading the private key this way might be intercepted. You can minimize this risk by using the localhost address from the local machine. Private keys must not be password protected as the PBX has no way to decrypt that during start-up.
Domain certificates must match exactly the name which is used for the domain on the PBX. The PBX automatically assigns the certificate to the matching domain. Wildcard certificates must be imported as server certificates, as they serve all domains on the system.
Example for when you have one certificate to be added to the server
Example for when you have two or more certificates to be added to the server. Let's say you have your wild card certificate and an intermediate certificate for e.g. GoDaddy, then both get added in the Certificate area box as shown.
Vodia Issued Certificates
Sometimes getting publicly signed certificates can be too much work, for example for closed user groups. In this case, Vodia can generate a certificate for you, signed by the Vodia Rooa CA. If you want your users to trust those certificates, you need to import the following Vodia Root CA into your browser certificate storage.
-----BEGIN CERTIFICATE----- MIID6zCCAtOgAwIBAgIJAMIlHtf7LiFiMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGV29idXJu MRwwGgYDVQQKDBNWb2RpYSBOZXR3b3JrcywgSW5jMRYwFAYDVQQDDA1Wb2RpYSBS b290IENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHZvZGlhLmNvbTAeFw0xNjA3MTYx MzU2MzFaFw0zNjA3MTExMzU2MzFaMIGLMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN TWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGV29idXJuMRwwGgYDVQQKDBNWb2RpYSBO ZXR3b3JrcywgSW5jMRYwFAYDVQQDDA1Wb2RpYSBSb290IENBMR0wGwYJKoZIhvcN AQkBFg5pbmZvQHZvZGlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBANzuume8J4JMpoy8MKUGp0nVcBTDq1RbJZGL3VMqQgSD7BRP53lSmE6bryaK hM1ZgSHGkPOlG/83FravCBdQFipbYZovo5NKv6w/ECZmawly189DZs18lFJzimgc dFUo39HAUL4+eosnn0vKBwAOp6qbwwO1VKIk8R/crkEeJc7HaCj2M0scDf6zkiBK 4e2QjJqTJD7lUB+84Rc2xOabZqCymFGJ05csVSEZzEgXpgyEC37dIZZmxOB8109X rINaApZsswrUuu4X4s0xB++tcyqKjC3i5j7ZcKeCvCwK/nKiAo5TBEQlnJUKIupj QxDGFKvYg60MAmCw67EAHzoSD0ECAwEAAaNQME4wHQYDVR0OBBYEFFcRtxyE0adE xFfaXK0JE1GekO/AMB8GA1UdIwQYMBaAFFcRtxyE0adExFfaXK0JE1GekO/AMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABREVW5wQfqJkEogcUWG1s21 lxGgueIfXw/g+xKHALgcnoOzoiN5SQibeymsTcsujBLSpWlcWeBrKbPLD/QqwYZW RNs3pKyEk6Yt0MU1GNMFMuIrWC4LzxMfkA+S2yV6L3/sTBGnUywoUpdyZm/zpr2u GPG3iTRSNE1Y20cHgmgQarZUBRqgdfzcBP4U68xJXHN5322aZe8VENJX1FJ0o43y NedKFLIGPOyYi24GpC8/5yFXHpKJZQCVpvz5C+enORvssywS+E5MEOB7GUbimvBr O920awc4qs2ShLj2kV6gB/Ox/VBYjMbXWLXPZaaqbnM2GiLlii/+m9aDF4BgJ+Q= -----END CERTIFICATE-----
The certificate has the following content:
Certificate: Data: Version: 3 (0x2) Serial Number: 13989621730477220194 (0xc2251ed7fb2e2162) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Massachusetts, L=Woburn, O=Vodia Networks, Inc, CN=Vodia Root CA/emailAddressemail@example.com Validity Not Before: Jul 16 13:56:31 2016 GMT Not After : Jul 11 13:56:31 2036 GMT Subject: C=US, ST=Massachusetts, L=Woburn, O=Vodia Networks, Inc, CN=Vodia Root CA/emailAddressfirstname.lastname@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dc:ee:ba:67:bc:27:82:4c:a6:8c:bc:30:a5:06: a7:49:d5:70:14:c3:ab:54:5b:25:91:8b:dd:53:2a: 42:04:83:ec:14:4f:e7:79:52:98:4e:9b:af:26:8a: 84:cd:59:81:21:c6:90:f3:a5:1b:ff:37:16:b6:af: 08:17:50:16:2a:5b:61:9a:2f:a3:93:4a:bf:ac:3f: 10:26:66:6b:09:72:d7:cf:43:66:cd:7c:94:52:73: 8a:68:1c:74:55:28:df:d1:c0:50:be:3e:7a:8b:27: 9f:4b:ca:07:00:0e:a7:aa:9b:c3:03:b5:54:a2:24: f1:1f:dc:ae:41:1e:25:ce:c7:68:28:f6:33:4b:1c: 0d:fe:b3:92:20:4a:e1:ed:90:8c:9a:93:24:3e:e5: 50:1f:bc:e1:17:36:c4:e6:9b:66:a0:b2:98:51:89: d3:97:2c:55:21:19:cc:48:17:a6:0c:84:0b:7e:dd: 21:96:66:c4:e0:7c:d7:4f:57:ac:83:5a:02:96:6c: b3:0a:d4:ba:ee:17:e2:cd:31:07:ef:ad:73:2a:8a: 8c:2d:e2:e6:3e:d9:70:a7:82:bc:2c:0a:fe:72:a2: 02:8e:53:04:44:25:9c:95:0a:22:ea:63:43:10:c6: 14:ab:d8:83:ad:0c:02:60:b0:eb:b1:00:1f:3a:12: 0f:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 57:11:B7:1C:84:D1:A7:44:C4:57:DA:5C:AD:09:13:51:9E:90:EF:C0 X509v3 Authority Key Identifier: keyid:57:11:B7:1C:84:D1:A7:44:C4:57:DA:5C:AD:09:13:51:9E:90:EF:C0 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 14:44:55:6e:70:41:fa:89:90:4a:20:71:45:86:d6:cd:b5:97: 11:a0:b9:e2:1f:5f:0f:e0:fb:12:87:00:b8:1c:9e:83:b3:a2: 23:79:49:08:9b:7b:29:ac:4d:cb:2e:8c:12:d2:a5:69:5c:59: e0:6b:29:b3:cb:0f:f4:2a:c1:86:56:44:db:37:a4:ac:84:93: a6:2d:d0:c5:35:18:d3:05:32:e2:2b:58:2e:0b:cf:13:1f:90: 0f:92:db:25:7a:2f:7f:ec:4c:11:a7:53:2c:28:52:97:72:66: 6f:f3:a6:bd:ae:18:f1:b7:89:34:52:34:4d:58:db:47:07:82: 68:10:6a:b6:54:05:1a:a0:75:fc:dc:04:fe:14:eb:cc:49:5c: 73:79:df:6d:9a:65:ef:15:10:d2:57:d4:52:74:a3:8d:f2:35: e7:4a:14:b2:06:3c:ec:98:8b:6e:06:a4:2f:3f:e7:21:57:1e: 92:89:65:00:95:a6:fc:f9:0b:e7:a7:39:1b:ec:b3:2c:12:f8: 4e:4c:10:e0:7b:19:46:e2:9a:f0:6b:3b:dd:b4:6b:07:38:aa: cd:92:84:b8:f6:91:5e:a0:07:f3:b1:fd:50:58:8c:c6:d7:58: b5:cf:65:a6:aa:6e:73:36:1a:22:e5:8a:2f:fe:9b:d6:83:17: 80:60:27:e4
Updating the build-in certificate
The certificate that was shipped with versions 5.5.0 and below expired on July 14, 2016. If your clients check the expiration date (but ignore the domain), you should update the certificate with the data below.
-----BEGIN CERTIFICATE----- MIIDhDCCAmwCCQCFqqmJRLR68DANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMC VVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcMBldvYnVybjEcMBoG A1UECgwTVm9kaWEgTmV0d29ya3MsIEluYzEWMBQGA1UEAwwNVm9kaWEgUm9vdCBD QTEdMBsGCSqGSIb3DQEJARYOaW5mb0B2b2RpYS5jb20wHhcNMTYwNzE2MTM1OTEy WhcNMTkwNTA2MTM1OTEyWjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzAN BgNVBAcTBldvYnVybjEcMBoGA1UEChMTVm9kaWEgTmV0d29ya3MsIEluYzESMBAG A1UEAxMJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5pbmZvQHZvZGlhLmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLbcXy8Wie2w2EOOjt3BHjI xV2v5BgDFt0JcohBkUvKsxLWsGBvSCQK6hCy10wAsNwxGA4Fwcv8dttBO5lECu89 UzDVMMVx3H9t/yV0oH6B6MMGNYvg9r79eY1WJfuW32yuwLXcWWYVYfsz23VSAKSS 3ffqIQoWN9zZSgwDRW4f81vYmpirV495QkCG9D/H6mhz0hmWBzoqUktQ3jWJmBZ+ kK+7dELnl/qMOBbCWxOiHREqfmaZmPSWbQEHVUEBnzzFjVFK/CwkLwaQ+YVmrMGG 1otb166j6+yKPc7C0++XvfszGW6n6GJi+vxvDhZ4EX9rar1d/pv/9qv/k2gyUEMC AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH33mjKDpOwvn2qRIXhjSEv7e9/XPCHBC OHlAgVip6hBQQOT3VTPWgpLeTnZvc/Sz1hvuFb1vBB3Jq+Q2W6EKgsqt1UMcuv9G 4Hgn+JHsoetbv9nf8L362yE3pR3mw+ekv+3rH7QFEN/WV+aTc0twqDMy17/YMTOE p3p901WY7roYvzC+djE1pnOWpQ57s1QVRXn9lstKSbB4LP/pjNN+3e6gd4x2TBsI Rbv74Y+dfvdJKEforLC9NR7O8xcleDHRQZO8Z7/v8Tm0Osylvh8TbTZdnN13kXth 1FfRY3ue+75Ko1MDj5tvYQdsHdstWeGUkAFFLHb3iIJEluZzXwtyZg== -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA8ttxfLxaJ7bDYQ46O3cEeMjFXa/kGAMW3QlyiEGRS8qzEtaw YG9IJArqELLXTACw3DEYDgXBy/x220E7mUQK7z1TMNUwxXHcf23/JXSgfoHowwY1 i+D2vv15jVYl+5bfbK7AtdxZZhVh+zPbdVIApJLd9+ohChY33NlKDANFbh/zW9ia mKtXj3lCQIb0P8fqaHPSGZYHOipSS1DeNYmYFn6Qr7t0QueX+ow4FsJbE6IdESp+ ZpmY9JZtAQdVQQGfPMWNUUr8LCQvBpD5hWaswYbWi1vXrqPr7Io9zsLT75e9+zMZ bqfoYmL6/G8OFngRf2tqvV3+m//2q/+TaDJQQwIDAQABAoIBAGXnxxs8PehkPF/B hJXnPy0fshG5+NBKm5FsoW6jdMCE8dd51tDgYTkei1EuekEeGRiMUTexGrzp10Xx fXy2nI/+/6WCD9EKEig2k9W3tpDfGjibpmRnpaJG4nZ4K8ACcwY73glxyOGZH2A1 RmVYX4SvTAz3ZZ3B7PbzBqs7xCqM1GMq5UN39PAG3LCsizXfnmYArxAAGtABNMTJ typkGeeqjmWcinDrb1HfBO2HPZ50X+KWTz6BNVL2vP1ryh+jkMkHFjQUjkA5lZif JD5Qu2p3pCnxCyLT/q4ztHfi2D4rSYr4XGj9eY92c7bo/tLzMU2/T+9U45cXuew+ jtReMwECgYEA+mdsY2ggWDB1sAT/ljor9fHy+c6c6qI/aj33MLkfbnGDUK/ZXt7I eTkS6Mr/D/JnhttkaMxFWG6SJ72tVgKpZve/h+rOs0yq0ZupViF3In8x5H0o+EdA zEHvTYrxR62GH8ZVRP6qU5Hi8ek4PX38L0trTvve+CQSBekDGOwfEyECgYEA+EjY H1+itpyHwO5mmbB15ZcrCtp9YuUIsDdd9dXTdt/1pTTX19NnUbhdzaJC6RIXoyQH YUJyc8vfG+3jB/ZQUl3mCs6vM8o2seLpKClkHGtWfCaAuU/vttNbWeiFeQjgzcYI i7PHycsGuh8MdgAE/EwMpDPXZa6ZSvLLEw1TGuMCgYEA109Ww6MlLK9+gnvJyUL7 yd7hLiuagaZBIPlnM136yNySLS8Hmau2dYW93K2v4+ZrXmoHTJVYi1GIGuPdx7dC MmeVKSmd0k56EwHl+UmNRvxXykBUmieqb/fB7Msr7JYoXeoMJ+dSTcmDer8uvLE3 xvLyslegwX1CghJ5t1RQ5AECgYEA4IIWE8CJxLCkPLwWQLEE2ren7yeEq/FIuvdF 2m8gyWRYnqu65Wk/CvE4uSIZeOGoSBfjKHpKPhVCyOGCIogDN4e65VjhqmYWsSHr DSroYJ5a1OaIDYmPzHUwLIuKbdiuVsPUpGbLqNgSXCiJPwZje7RU1gIeqs6HxPLo 2HB7DlsCgYEAsnj4n41Ev3aKqQykzW3sidyzumeHRiBkLOgjMWJbFW+63vQCt0wb /2YpZbzHczv81K+VkMJrbMHwGv877ctIZCcAarnNxVspFpEb9L88an8FYjSg7lYC HBNWhIyZ+h4zGiV5kIOAkji9pYBQuj4nwCcYDqxRrZmpL5V+7B4+Lz0= -----END RSA PRIVATE KEY-----
Getting a Valid Certificate
Certificates are used in the system in two places. First, they are used to secure the traffic between the web browser and the web interface of the system. Second, they are used to secure the SIP traffic between the phone and the system’s signaling path.
The system by default generates a certificate, referred to as a self-signed certificate. While this provides a reasonable encryption of the traffic, it does not ensure that the client is really talking to the server. For example, it could also talk to a person in the middle that is just relaying the traffic. This essentially means that the traffic is not private any more, and since most Internet browsers are very strict regarding checking of certificates, the user must explicitly accept the untrusted certificate. Also, some IP phones do only accept SIP traffic on connections that have valid certificates. While the user of a web browser can just click and accept the certificate, a user of a phone usually does not have such a choice and the connection just fails.
Buying a Certificate
When you buy a certificate, it must be known that you are really the one who is operating a server. Although the mechanisms for this process differ, all services require that you pay for the service and that your web browser is already set up to trust the certificate authority. This mechanism is suitable if you are operating a public service where it is not an option to load root certificates on many clients. You usually also need to specify which IP addresses are using this certificate for the service.
Making Your Own Certificate
If you have access to your clients, you may also generate your own certificates. For example, you can join the community at http://cacert.org and generate them there. You will need to load the root certificate into the clients that should talk to the snom ONE system.
There are various other sites available which provide a similar service. You may also download the openSSL toolkit and compile your own certificate generator and set up your own trusted network. If you have already done this to secure your other office infrastructures (e.g., email or VPN), you can probably reuse the certificates for that.
Certificate Size and Format
The format of the certificate must be base64-encoded. You must include the private key and the certificate in the upload. Please note that uploading the private key this way might be intercepted by an intruder. You can minimize this risk by using the localhost address from the local machine.
In order to provide the key, just enter the ASCII string that you received from the trusted party, copy it into the text field, and press button The system will then present this certificate to HTTP and SIP connections that require secure communications.
If your private key starts with something like this, you need to first decrypt the key before you copy & paste it into the web interface:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,E687456BA4F7D6621A98B011FA2EE4D7
You can do this using the command "openssl rsa -in server.key.secure -out server.key" (for this you need to have OpenSSL installed).