Jump to content
Vodia PBX forum
netpro78

Associating certificates with domains

Recommended Posts

netpro78    0

I am trying to utilize multiple certificates.  I have a wildcard certificate as the server certificate.  I have a regular certificate as well that I have uploaded as a domain certificate.  When using the web portal, the system seems to always utilize the proper certificate for what I am accessing.  The problem is when I have a phone trying to register to a specific domain, the system does not utilize the certificate that matches the domain I am trying to register to, it is utilizing the wildcard certificate instead.  Since the phone does not like the wildcard certificate, the registration fails.

My current setup is version 58.3

Polycom VVX 410 firmware version 5.60

Share this post


Link to post
Share on other sites
Vodia PBX    0

That should in theory work. It is important that the client tell the PBX what domain to use, that is done with a TLS extension in the client hello. I would first make sure from a regular web browser that the PBX presents to the browser the right certificate. If that works, there must be a problem with the phone. Otherwise there must be a problem importing that certificate, for example the domain name does not match exactly the name in the certificate.

Share this post


Link to post
Share on other sites
netpro78    0

Regular web browsers do not have the issue.  Is there a specific name for the extension that presents the domain name in the client hello?  Just trying to be as specific as possible when opening a ticket with Polycom.

Share this post


Link to post
Share on other sites
netpro78    0

While I have a feature request open with the phone manufacturer, is it possible to specify a default certificate that is presented if the client does not support RFC 3546 (Server Name Indication)

Share this post


Link to post
Share on other sites
Vodia PBX    0

Usually you can use a wildcard certificate as the server certificate that will match most of the domains (e.g. *.best-pbx-ever.com) if all you clients use domain names with that kind of name.

Share this post


Link to post
Share on other sites
netpro78    0

Since I am trying to support a phone that does not support server name identification, and it also does not accept wildcard certificates, I would like to set a default certificate that is issued whenever the client does not support server name identification.

Share this post


Link to post
Share on other sites
Vodia PBX    0

Would that help much? In a multi domain environment you'll probably end up with the wrong certificate most of the time. The default is the server certificate right now (you can load wildcard certificates also into domains if they match).

Share this post


Link to post
Share on other sites
netpro78    0

This worked well, and I also realized some details that I were not in the documentation.  One of the confusing issues I was having is my wildcard, and my regular cert both have the same base domain name. 

My regular cert is xxx.yyy.mydomain.com.  Wildcard certificate was *.mydomain.com.  The problem was with regards to the web portal (the main reason I have the SSL cert is for the web portal, most all recent browsers support server name identification). If I put the wildcard at the domain level, then the server would utilize it when accessing xxx.yyy.mydomain.com.  Technically it should not, and only match yyy.mydomain.com, and therefore it would not get to the server level traditional cert of xxx.yyy.mydomain.com that I needed to put there in the default position for phones that do not support server name identification.  So the solution I found was to put the traditional cert at both the domain, and server level, and the wildcard only at the domain level, and everything worked fine. 

This should not pose much of an issue since very few customers require SIPS/SRTP, so by the time I get another customer that requires it, chances are their phones will support server name identification, or I will have filled the server up, and be on to the next one.

This does lead to a potential feature request.  If a domain could be bound to both a specific IP and port, then you could bind a certificate to the domain.  This would make for a much more granular approach.  It would also make sense to be able to select certs separately for HTTP versus SIP access

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×