Jump to content

Associating certificates with domains


Recommended Posts

I am trying to utilize multiple certificates.  I have a wildcard certificate as the server certificate.  I have a regular certificate as well that I have uploaded as a domain certificate.  When using the web portal, the system seems to always utilize the proper certificate for what I am accessing.  The problem is when I have a phone trying to register to a specific domain, the system does not utilize the certificate that matches the domain I am trying to register to, it is utilizing the wildcard certificate instead.  Since the phone does not like the wildcard certificate, the registration fails.

My current setup is version 58.3

Polycom VVX 410 firmware version 5.60

Link to comment
Share on other sites

That should in theory work. It is important that the client tell the PBX what domain to use, that is done with a TLS extension in the client hello. I would first make sure from a regular web browser that the PBX presents to the browser the right certificate. If that works, there must be a problem with the phone. Otherwise there must be a problem importing that certificate, for example the domain name does not match exactly the name in the certificate.

Link to comment
Share on other sites

  • 2 weeks later...

This worked well, and I also realized some details that I were not in the documentation.  One of the confusing issues I was having is my wildcard, and my regular cert both have the same base domain name. 

My regular cert is xxx.yyy.mydomain.com.  Wildcard certificate was *.mydomain.com.  The problem was with regards to the web portal (the main reason I have the SSL cert is for the web portal, most all recent browsers support server name identification). If I put the wildcard at the domain level, then the server would utilize it when accessing xxx.yyy.mydomain.com.  Technically it should not, and only match yyy.mydomain.com, and therefore it would not get to the server level traditional cert of xxx.yyy.mydomain.com that I needed to put there in the default position for phones that do not support server name identification.  So the solution I found was to put the traditional cert at both the domain, and server level, and the wildcard only at the domain level, and everything worked fine. 

This should not pose much of an issue since very few customers require SIPS/SRTP, so by the time I get another customer that requires it, chances are their phones will support server name identification, or I will have filled the server up, and be on to the next one.

This does lead to a potential feature request.  If a domain could be bound to both a specific IP and port, then you could bind a certificate to the domain.  This would make for a much more granular approach.  It would also make sense to be able to select certs separately for HTTP versus SIP access

Link to comment
Share on other sites

Binding a domain to a specific IP would only work if all other domains bind to a specific (potentially another) IP as well. You could as well just run two instances of the PBX and bind each instance to the specific IP: But IMHO that is overly complicated. Every device should today support Server Name Indication as every device should support AES and actually TLS 1.2.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...