Jump to content

Installing a Cert on the PBX


Tom Waterman

Recommended Posts

Hello all. I am going to install a certificate on the PBX so it will communicate with Exchange 2007. My question is do I HAVE to install it (the certificate) on all of the sip phones? and what about devices(extensions) that don't support certificates?

 

Thank you for the help.

 

Tom

Link to comment
Share on other sites

Hello all. I am going to install a certificate on the PBX so it will communicate with Exchange 2007. My question is do I HAVE to install it (the certificate) on all of the sip phones? and what about devices(extensions) that don't support certificates?

 

By default it comes with a self-signed certificate. I believe it might even have expired... In version 4, you can load a certificate either globalls or for a specific domain. If you want to load a domain certificate, then the client must support the TLS extension that tells the PBX which domain the request goes to. So if you have just one domain, it is problably easier to just load a global certificate.

 

With the certificate you must also load the private key. The certificate may contain a certificate chain; so that you include the certificate that the PBX should use for encryption, but also the other certificates that signed the certificate. For example, if you buy a certificate from Verisign, then you can include the Root CA from Verisign (which practically everybody trusts), maybe some intermediate certificates and finally the certificate of the PBX. Everything in this ----BEGIN---- base64-encoded form.

Link to comment
Share on other sites

  • 4 months later...
By default it comes with a self-signed certificate. I believe it might even have expired... In version 4, you can load a certificate either globalls or for a specific domain. If you want to load a domain certificate, then the client must support the TLS extension that tells the PBX which domain the request goes to. So if you have just one domain, it is problably easier to just load a global certificate.

 

With the certificate you must also load the private key. The certificate may contain a certificate chain; so that you include the certificate that the PBX should use for encryption, but also the other certificates that signed the certificate. For example, if you buy a certificate from Verisign, then you can include the Root CA from Verisign (which practically everybody trusts), maybe some intermediate certificates and finally the certificate of the PBX. Everything in this ----BEGIN---- base64-encoded form.

I've spent hours to get the pbx running with certificates, but without success. I've copied the certificates (Base64) into the upper section 'Certificates' and the Private Key into 'Private Key'. After clicking 'Save' I see 'Starfield Secure Certification Authority' above the Text Field 'Certificates' along with a 'delete'-icon which might show a successful upload of the certificate. After rebooting the pbx, https access is no longer possible at all. It is really not a problem of browser certificate errors only. The browser won't get a https-connection to the pbx at all. But with http I get access the pbx again, in order to delete the certificate.

 

I wonder why the xml-file in the certificate folder of the pbx doesn't contain the private key. Is this normal? What about the domain section of the xml file? Does it match anything with the domain of the pbx? In this section we see 'Starfield Secure Certification Authority'

 

Any idea?

Link to comment
Share on other sites

I wonder why the xml-file in the certificate folder of the pbx doesn't contain the private key. Is this normal? What about the domain section of the xml file? Does it match anything with the domain of the pbx? In this section we see 'Starfield Secure Certification Authority'

 

Can you generate a sample that you can share with us here (especially the private key part...). As you know, the private key and the certificate must match, so we need both to check what is going on.

Link to comment
Share on other sites

Update: Seems to be a problem with the certificate itself. Tried to install another certificate (from my IIS7). This is accepted by the pbx and works (but invalid due to the wrong domain of course). I will request a new certificate but don't know how to get the PBX's certificate request I need to issue a new cert. How to get it?

Link to comment
Share on other sites

I will request a new certificate but don't know how to get the PBX's certificate request I need to issue a new cert. How to get it?

 

Yea, that is a pain... There was a post here http://forum.pbxnsip.com/index.php?showtopic=3450 that explained how to use openssl. If you want to get a signature from someone you can trust, you need to generate a CSR file (certificat signing request or so) and have it signed by the authority. The PBX itself does not issue the certificate.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...