Skip to main content

The PBX uses TLS in secure communication for HTTP and SIP traffic. This works only if the system has a pair of private keys and certificates. Depending on the direction of the communication, it needs to either present a certificate (e.g. web server) or trust certificates from other parties (e.g. when the PBX pulls information from other sites).

The PBX is able to present domain certificates, used in virtual hosting. If there is no domain certificate available, the PBX uses the system certificate. System certificates can be wildcard certificates.

Certificate Overview

When you visit the certificate page, the system lists the certificates that have been loaded into the system.

certoverview.png

If you don't want to use certain certificates, you can select them in the list and then click on the delete button. In order to view a certificate, click on the icon next to the certificate. It will download the certificate. The private key cannot be downloaded through the web interface (if there was a private key uploaded with the certificate).

If you want to update the list of trusted Root CA (e.g. because you are using a newer PBX version), you can use the reset button on the page.

Issued Certificates

You can see what certificates have been issued or uploaded in the the certificates tab. By clicking on the certificate icon you can view the certificate, and by clicking on the delete button you can remove the certificate from the system.

Importing Certificates

When importing certificates, the format of the certificate must be base64-encoded ----BEGIN CERTIFICATE---- and end with the text ----END CERTIFICATE----. If you want to import a certificate chain (along with the private key), you must put the certificate to be imported first, followed by zero, one or more intermediate certificates that the server should present later. Those intermediate certificates also go into the certificate import text area.

If you are uploading a domain or server certificate that should be presented to visitors, you must include the private key in the upload. The private key must also be base64-encoded and start with ----BEGIN RSA PRIVATE KEY---- (PKCS#1) or ----BEGIN PRIVATE KEY----(PKCS#8, since version 5.4). Please note that uploading the private key this way might be intercepted. You can minimize this risk by using the localhost address from the local machine. Private keys must not be password protected as the PBX has no way to decrypt that during start-up.

Domain certificates must match exactly the name which is used for the domain on the PBX.

The PBX automatically assigns the certificate to the matching domain. Wildcard certificates must be imported as server certificates, as they serve all domains on the system.

Example for when you have one certificate to be added to the server

admincerts21.png

Example for when you have two or more certificates to be added to the server. Let's say you have your wild card certificate and an intermediate certificate for e.g. GoDaddy, then both get added in the Certificate area box as shown.

admincerts31.png

When you upload a STIR/SHAKEN certificate, you need to set the Identity header in the trunk that is supposed to use the certificate to use STIR/SHAKEN. It will automatically choose a STIR/SHAKEN certificate that matches the tenant address, or if that can not be found, the first STIR/SHAKEN that is available on the system.

Updating the build-in certificate

After the initial installation, the PBX comes with a Vodia-signed certificate for localhost. Typically this certificate is not secure anyway and you can ignore it. The certificate that was shipped with versions 5.5.0 and below expired on July 14, 2016. If your clients check the expiration date (but ignore the domain), you should update the certificate with the data below.

-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQCFqqmJRLR68DANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMC
VVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcMBldvYnVybjEcMBoG
A1UECgwTVm9kaWEgTmV0d29ya3MsIEluYzEWMBQGA1UEAwwNVm9kaWEgUm9vdCBD
QTEdMBsGCSqGSIb3DQEJARYOaW5mb0B2b2RpYS5jb20wHhcNMTYwNzE2MTM1OTEy
WhcNMTkwNTA2MTM1OTEyWjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzAN
BgNVBAcTBldvYnVybjEcMBoGA1UEChMTVm9kaWEgTmV0d29ya3MsIEluYzESMBAG
A1UEAxMJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5pbmZvQHZvZGlhLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLbcXy8Wie2w2EOOjt3BHjI
xV2v5BgDFt0JcohBkUvKsxLWsGBvSCQK6hCy10wAsNwxGA4Fwcv8dttBO5lECu89
UzDVMMVx3H9t/yV0oH6B6MMGNYvg9r79eY1WJfuW32yuwLXcWWYVYfsz23VSAKSS
3ffqIQoWN9zZSgwDRW4f81vYmpirV495QkCG9D/H6mhz0hmWBzoqUktQ3jWJmBZ+
kK+7dELnl/qMOBbCWxOiHREqfmaZmPSWbQEHVUEBnzzFjVFK/CwkLwaQ+YVmrMGG
1otb166j6+yKPc7C0++XvfszGW6n6GJi+vxvDhZ4EX9rar1d/pv/9qv/k2gyUEMC
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH33mjKDpOwvn2qRIXhjSEv7e9/XPCHBC
OHlAgVip6hBQQOT3VTPWgpLeTnZvc/Sz1hvuFb1vBB3Jq+Q2W6EKgsqt1UMcuv9G
4Hgn+JHsoetbv9nf8L362yE3pR3mw+ekv+3rH7QFEN/WV+aTc0twqDMy17/YMTOE
p3p901WY7roYvzC+djE1pnOWpQ57s1QVRXn9lstKSbB4LP/pjNN+3e6gd4x2TBsI
Rbv74Y+dfvdJKEforLC9NR7O8xcleDHRQZO8Z7/v8Tm0Osylvh8TbTZdnN13kXth
1FfRY3ue+75Ko1MDj5tvYQdsHdstWeGUkAFFLHb3iIJEluZzXwtyZg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA8ttxfLxaJ7bDYQ46O3cEeMjFXa/kGAMW3QlyiEGRS8qzEtaw
YG9IJArqELLXTACw3DEYDgXBy/x220E7mUQK7z1TMNUwxXHcf23/JXSgfoHowwY1
i+D2vv15jVYl+5bfbK7AtdxZZhVh+zPbdVIApJLd9+ohChY33NlKDANFbh/zW9ia
mKtXj3lCQIb0P8fqaHPSGZYHOipSS1DeNYmYFn6Qr7t0QueX+ow4FsJbE6IdESp+
ZpmY9JZtAQdVQQGfPMWNUUr8LCQvBpD5hWaswYbWi1vXrqPr7Io9zsLT75e9+zMZ
bqfoYmL6/G8OFngRf2tqvV3+m//2q/+TaDJQQwIDAQABAoIBAGXnxxs8PehkPF/B
hJXnPy0fshG5+NBKm5FsoW6jdMCE8dd51tDgYTkei1EuekEeGRiMUTexGrzp10Xx
fXy2nI/+/6WCD9EKEig2k9W3tpDfGjibpmRnpaJG4nZ4K8ACcwY73glxyOGZH2A1
RmVYX4SvTAz3ZZ3B7PbzBqs7xCqM1GMq5UN39PAG3LCsizXfnmYArxAAGtABNMTJ
typkGeeqjmWcinDrb1HfBO2HPZ50X+KWTz6BNVL2vP1ryh+jkMkHFjQUjkA5lZif
JD5Qu2p3pCnxCyLT/q4ztHfi2D4rSYr4XGj9eY92c7bo/tLzMU2/T+9U45cXuew+
jtReMwECgYEA+mdsY2ggWDB1sAT/ljor9fHy+c6c6qI/aj33MLkfbnGDUK/ZXt7I
eTkS6Mr/D/JnhttkaMxFWG6SJ72tVgKpZve/h+rOs0yq0ZupViF3In8x5H0o+EdA
zEHvTYrxR62GH8ZVRP6qU5Hi8ek4PX38L0trTvve+CQSBekDGOwfEyECgYEA+EjY
H1+itpyHwO5mmbB15ZcrCtp9YuUIsDdd9dXTdt/1pTTX19NnUbhdzaJC6RIXoyQH
YUJyc8vfG+3jB/ZQUl3mCs6vM8o2seLpKClkHGtWfCaAuU/vttNbWeiFeQjgzcYI
i7PHycsGuh8MdgAE/EwMpDPXZa6ZSvLLEw1TGuMCgYEA109Ww6MlLK9+gnvJyUL7
yd7hLiuagaZBIPlnM136yNySLS8Hmau2dYW93K2v4+ZrXmoHTJVYi1GIGuPdx7dC
MmeVKSmd0k56EwHl+UmNRvxXykBUmieqb/fB7Msr7JYoXeoMJ+dSTcmDer8uvLE3
xvLyslegwX1CghJ5t1RQ5AECgYEA4IIWE8CJxLCkPLwWQLEE2ren7yeEq/FIuvdF
2m8gyWRYnqu65Wk/CvE4uSIZeOGoSBfjKHpKPhVCyOGCIogDN4e65VjhqmYWsSHr
DSroYJ5a1OaIDYmPzHUwLIuKbdiuVsPUpGbLqNgSXCiJPwZje7RU1gIeqs6HxPLo
2HB7DlsCgYEAsnj4n41Ev3aKqQykzW3sidyzumeHRiBkLOgjMWJbFW+63vQCt0wb
/2YpZbzHczv81K+VkMJrbMHwGv877ctIZCcAarnNxVspFpEb9L88an8FYjSg7lYC
HBNWhIyZ+h4zGiV5kIOAkji9pYBQuj4nwCcYDqxRrZmpL5V+7B4+Lz0=
-----END RSA PRIVATE KEY-----

Getting a Valid Certificate

There are several ways to obtain a certificate for a tenants or the system. Typically you can just use the LetsEncrypt service through the ACME protocol, but you can also buy certificates or create your own.

ACME Protocol

LetsEncrypt (https://letsencrypt.org) offers free certificates through its certification service. In order to use this service, you need to ensure:

  • The PBX must have port 80 open for HTTP, so that the certification robot can verify the PBX address.
  • The name of the certificate must be identical to a tenant address or the system management DNS address with the DNS A or DNS AAAA record set accordingly.
  • The ACME Directory URL (in reg_settings.htm) must be set to LetsEncrypt.

The PBX will check every 24 hours if certificates need to be renewed. The PBX also supports using DNS challenges for the ACME protcol, however this works currently with a limited number of DNS providers.

Buying a Certificate

When you buy a certificate, it must be known that you are really the one who is operating a server. Although the mechanisms for this process differ, all services require that you pay for the service and that your web browser is already set up to trust the certificate authority. This mechanism is suitable if you are operating a public service where it is not an option to load root certificates on many clients. You usually also need to specify which IP addresses are using this certificate for the service.

Making Your Own Certificate

If you have access to your clients, you may also generate your own certificates. For example, you can join the community at http://cacert.org and generate them there. You will need to load the root certificate into the clients that should talk to the Vodia PBX.

There are various other sites available which provide a similar service. You may also download the openSSL toolkit and compile your own certificate generator and set up your own trusted network. If you have already done this to secure your other office infrastructures (e.g., email or VPN), you can probably reuse the certificates for that.

The format of the certificate must be base64-encoded. You must include the private key and the certificate in the upload. Please note that uploading the private key this way might be intercepted by an intruder. You can minimize this risk by using the localhost address from the local machine.

In order to provide the key, just enter the ASCII string that you received from the trusted party, copy it into the text field, and press button button The system will then present this certificate to HTTP and SIP connections that require secure communications.

admincerts41.png

If your private key starts with something like this, you need to first decrypt the key before you copy & paste it into the web interface:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E687456BA4F7D6621A98B011FA2EE4D7

You can do this using the command "openssl rsa -in server.key.secure -out server.key" (for this you need to have OpenSSL installed).

Last updated on