Certificate Management

The PBX uses TLS in secure communication for HTTP and SIP traffic. This works only if the system has a pair of private keys and certificates. Depending on the direction of the communication, it needs to either present a certificate (e.g. web server) or trust certificates from other parties (e.g. when the PBX pulls information from other sites). The certificates that are loaded in the system can be seen on the certificate page. By clicking on the certificate icon you can view the certificate, and by clicking on the delete button you can remove the certificate from the system.

The PBX is able to present domain certificates, used in virtual hosting. If there is no domain certificate available, the PBX uses the system certificate. System certificates can be wildcard certificates.

Certificate Overview

When you visit the certificate page, the system lists the certificates that have been loaded into the system.

If you don't want to use certain certificates, you can select them in the list and then click on the button. In order to view a certificate, click on the icon next to the certificate. It wi8ll download the certificate. Your operating system will present the certificate for you. The private key cannot be downloaded through the web interface (if there was a private key uploaded with the certificate).

Importing Certificates

When importing certificates, the format of the certificate must be base64-encoded. Certificates must start with the text ----BEGIN CERTIFICATE---- and end with the text ----END CERTIFICATE----. If you want to import a certificate chain (along with the private key), you must put the certificate to be imported first, followed by zero, one or more intermediate certificates that the server should present later. Those intermediate certificates also go into the certificate import text area.

If you are uploading a domain or server certificate that should be presented to visitors, you must include the private key in the upload. The private key must also be base64-encoded and start with ----BEGIN RSA PRIVATE KEY---- (PKCS#1) or ----BEGIN PRIVATE KEY---- (PKCS#8, since version 5.4). Please note that uploading the private key this way might be intercepted. You can minimize this risk by using the localhost address from the local machine. Private keys must not be password protected as the PBX has no way to decrypt that during start-up.

Domain certificates must match exactly the name which is used for the domain on the PBX. The PBX automatically assigns the certificate to the matching domain. Wildcard certificates must be imported as server certificates, as they serve all domains on the system.

Example for when you have one certificate to be added to the server

Example for when you have two or more certificates to be added to the server. Let's say you have your wild card certificate and an intermediate certificate for e.g. GoDaddy, then both get added in the Certificate area box as shown.

Vodia Issued Certificates

Sometimes getting publicly signed certificates can be too much work, for example for closed user groups. In this case, Vodia can generate a certificate for you, signed by the Vodia Rooa CA. If you want your users to trust those certificates, you need to import the following Vodia Root CA into your browser certificate storage.

-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIJAMIlHtf7LiFiMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGV29idXJu
MRwwGgYDVQQKDBNWb2RpYSBOZXR3b3JrcywgSW5jMRYwFAYDVQQDDA1Wb2RpYSBS
b290IENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHZvZGlhLmNvbTAeFw0xNjA3MTYx
MzU2MzFaFw0zNjA3MTExMzU2MzFaMIGLMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN
TWFzc2FjaHVzZXR0czEPMA0GA1UEBwwGV29idXJuMRwwGgYDVQQKDBNWb2RpYSBO
ZXR3b3JrcywgSW5jMRYwFAYDVQQDDA1Wb2RpYSBSb290IENBMR0wGwYJKoZIhvcN
AQkBFg5pbmZvQHZvZGlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANzuume8J4JMpoy8MKUGp0nVcBTDq1RbJZGL3VMqQgSD7BRP53lSmE6bryaK
hM1ZgSHGkPOlG/83FravCBdQFipbYZovo5NKv6w/ECZmawly189DZs18lFJzimgc
dFUo39HAUL4+eosnn0vKBwAOp6qbwwO1VKIk8R/crkEeJc7HaCj2M0scDf6zkiBK
4e2QjJqTJD7lUB+84Rc2xOabZqCymFGJ05csVSEZzEgXpgyEC37dIZZmxOB8109X
rINaApZsswrUuu4X4s0xB++tcyqKjC3i5j7ZcKeCvCwK/nKiAo5TBEQlnJUKIupj
QxDGFKvYg60MAmCw67EAHzoSD0ECAwEAAaNQME4wHQYDVR0OBBYEFFcRtxyE0adE
xFfaXK0JE1GekO/AMB8GA1UdIwQYMBaAFFcRtxyE0adExFfaXK0JE1GekO/AMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABREVW5wQfqJkEogcUWG1s21
lxGgueIfXw/g+xKHALgcnoOzoiN5SQibeymsTcsujBLSpWlcWeBrKbPLD/QqwYZW
RNs3pKyEk6Yt0MU1GNMFMuIrWC4LzxMfkA+S2yV6L3/sTBGnUywoUpdyZm/zpr2u
GPG3iTRSNE1Y20cHgmgQarZUBRqgdfzcBP4U68xJXHN5322aZe8VENJX1FJ0o43y
NedKFLIGPOyYi24GpC8/5yFXHpKJZQCVpvz5C+enORvssywS+E5MEOB7GUbimvBr
O920awc4qs2ShLj2kV6gB/Ox/VBYjMbXWLXPZaaqbnM2GiLlii/+m9aDF4BgJ+Q=
-----END CERTIFICATE-----

The certificate has the following content:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13989621730477220194 (0xc2251ed7fb2e2162)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Massachusetts, L=Woburn, O=Vodia Networks, Inc, CN=Vodia Root CA/emailAddress=info@vodia.com
        Validity
            Not Before: Jul 16 13:56:31 2016 GMT
            Not After : Jul 11 13:56:31 2036 GMT
        Subject: C=US, ST=Massachusetts, L=Woburn, O=Vodia Networks, Inc, CN=Vodia Root CA/emailAddress=info@vodia.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dc:ee:ba:67:bc:27:82:4c:a6:8c:bc:30:a5:06:
                    a7:49:d5:70:14:c3:ab:54:5b:25:91:8b:dd:53:2a:
                    42:04:83:ec:14:4f:e7:79:52:98:4e:9b:af:26:8a:
                    84:cd:59:81:21:c6:90:f3:a5:1b:ff:37:16:b6:af:
                    08:17:50:16:2a:5b:61:9a:2f:a3:93:4a:bf:ac:3f:
                    10:26:66:6b:09:72:d7:cf:43:66:cd:7c:94:52:73:
                    8a:68:1c:74:55:28:df:d1:c0:50:be:3e:7a:8b:27:
                    9f:4b:ca:07:00:0e:a7:aa:9b:c3:03:b5:54:a2:24:
                    f1:1f:dc:ae:41:1e:25:ce:c7:68:28:f6:33:4b:1c:
                    0d:fe:b3:92:20:4a:e1:ed:90:8c:9a:93:24:3e:e5:
                    50:1f:bc:e1:17:36:c4:e6:9b:66:a0:b2:98:51:89:
                    d3:97:2c:55:21:19:cc:48:17:a6:0c:84:0b:7e:dd:
                    21:96:66:c4:e0:7c:d7:4f:57:ac:83:5a:02:96:6c:
                    b3:0a:d4:ba:ee:17:e2:cd:31:07:ef:ad:73:2a:8a:
                    8c:2d:e2:e6:3e:d9:70:a7:82:bc:2c:0a:fe:72:a2:
                    02:8e:53:04:44:25:9c:95:0a:22:ea:63:43:10:c6:
                    14:ab:d8:83:ad:0c:02:60:b0:eb:b1:00:1f:3a:12:
                    0f:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                57:11:B7:1C:84:D1:A7:44:C4:57:DA:5C:AD:09:13:51:9E:90:EF:C0
            X509v3 Authority Key Identifier: 
                keyid:57:11:B7:1C:84:D1:A7:44:C4:57:DA:5C:AD:09:13:51:9E:90:EF:C0

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         14:44:55:6e:70:41:fa:89:90:4a:20:71:45:86:d6:cd:b5:97:
         11:a0:b9:e2:1f:5f:0f:e0:fb:12:87:00:b8:1c:9e:83:b3:a2:
         23:79:49:08:9b:7b:29:ac:4d:cb:2e:8c:12:d2:a5:69:5c:59:
         e0:6b:29:b3:cb:0f:f4:2a:c1:86:56:44:db:37:a4:ac:84:93:
         a6:2d:d0:c5:35:18:d3:05:32:e2:2b:58:2e:0b:cf:13:1f:90:
         0f:92:db:25:7a:2f:7f:ec:4c:11:a7:53:2c:28:52:97:72:66:
         6f:f3:a6:bd:ae:18:f1:b7:89:34:52:34:4d:58:db:47:07:82:
         68:10:6a:b6:54:05:1a:a0:75:fc:dc:04:fe:14:eb:cc:49:5c:
         73:79:df:6d:9a:65:ef:15:10:d2:57:d4:52:74:a3:8d:f2:35:
         e7:4a:14:b2:06:3c:ec:98:8b:6e:06:a4:2f:3f:e7:21:57:1e:
         92:89:65:00:95:a6:fc:f9:0b:e7:a7:39:1b:ec:b3:2c:12:f8:
         4e:4c:10:e0:7b:19:46:e2:9a:f0:6b:3b:dd:b4:6b:07:38:aa:
         cd:92:84:b8:f6:91:5e:a0:07:f3:b1:fd:50:58:8c:c6:d7:58:
         b5:cf:65:a6:aa:6e:73:36:1a:22:e5:8a:2f:fe:9b:d6:83:17:
         80:60:27:e4

Updating the build-in certificate

The certificate that was shipped with versions 5.5.0 and below expired on July 14, 2016. If your clients check the expiration date (but ignore the domain), you should update the certificate with the data below.

-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQCFqqmJRLR68DANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMC
VVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcMBldvYnVybjEcMBoG
A1UECgwTVm9kaWEgTmV0d29ya3MsIEluYzEWMBQGA1UEAwwNVm9kaWEgUm9vdCBD
QTEdMBsGCSqGSIb3DQEJARYOaW5mb0B2b2RpYS5jb20wHhcNMTYwNzE2MTM1OTEy
WhcNMTkwNTA2MTM1OTEyWjB8MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzAN
BgNVBAcTBldvYnVybjEcMBoGA1UEChMTVm9kaWEgTmV0d29ya3MsIEluYzESMBAG
A1UEAxMJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5pbmZvQHZvZGlhLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLbcXy8Wie2w2EOOjt3BHjI
xV2v5BgDFt0JcohBkUvKsxLWsGBvSCQK6hCy10wAsNwxGA4Fwcv8dttBO5lECu89
UzDVMMVx3H9t/yV0oH6B6MMGNYvg9r79eY1WJfuW32yuwLXcWWYVYfsz23VSAKSS
3ffqIQoWN9zZSgwDRW4f81vYmpirV495QkCG9D/H6mhz0hmWBzoqUktQ3jWJmBZ+
kK+7dELnl/qMOBbCWxOiHREqfmaZmPSWbQEHVUEBnzzFjVFK/CwkLwaQ+YVmrMGG
1otb166j6+yKPc7C0++XvfszGW6n6GJi+vxvDhZ4EX9rar1d/pv/9qv/k2gyUEMC
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH33mjKDpOwvn2qRIXhjSEv7e9/XPCHBC
OHlAgVip6hBQQOT3VTPWgpLeTnZvc/Sz1hvuFb1vBB3Jq+Q2W6EKgsqt1UMcuv9G
4Hgn+JHsoetbv9nf8L362yE3pR3mw+ekv+3rH7QFEN/WV+aTc0twqDMy17/YMTOE
p3p901WY7roYvzC+djE1pnOWpQ57s1QVRXn9lstKSbB4LP/pjNN+3e6gd4x2TBsI
Rbv74Y+dfvdJKEforLC9NR7O8xcleDHRQZO8Z7/v8Tm0Osylvh8TbTZdnN13kXth
1FfRY3ue+75Ko1MDj5tvYQdsHdstWeGUkAFFLHb3iIJEluZzXwtyZg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA8ttxfLxaJ7bDYQ46O3cEeMjFXa/kGAMW3QlyiEGRS8qzEtaw
YG9IJArqELLXTACw3DEYDgXBy/x220E7mUQK7z1TMNUwxXHcf23/JXSgfoHowwY1
i+D2vv15jVYl+5bfbK7AtdxZZhVh+zPbdVIApJLd9+ohChY33NlKDANFbh/zW9ia
mKtXj3lCQIb0P8fqaHPSGZYHOipSS1DeNYmYFn6Qr7t0QueX+ow4FsJbE6IdESp+
ZpmY9JZtAQdVQQGfPMWNUUr8LCQvBpD5hWaswYbWi1vXrqPr7Io9zsLT75e9+zMZ
bqfoYmL6/G8OFngRf2tqvV3+m//2q/+TaDJQQwIDAQABAoIBAGXnxxs8PehkPF/B
hJXnPy0fshG5+NBKm5FsoW6jdMCE8dd51tDgYTkei1EuekEeGRiMUTexGrzp10Xx
fXy2nI/+/6WCD9EKEig2k9W3tpDfGjibpmRnpaJG4nZ4K8ACcwY73glxyOGZH2A1
RmVYX4SvTAz3ZZ3B7PbzBqs7xCqM1GMq5UN39PAG3LCsizXfnmYArxAAGtABNMTJ
typkGeeqjmWcinDrb1HfBO2HPZ50X+KWTz6BNVL2vP1ryh+jkMkHFjQUjkA5lZif
JD5Qu2p3pCnxCyLT/q4ztHfi2D4rSYr4XGj9eY92c7bo/tLzMU2/T+9U45cXuew+
jtReMwECgYEA+mdsY2ggWDB1sAT/ljor9fHy+c6c6qI/aj33MLkfbnGDUK/ZXt7I
eTkS6Mr/D/JnhttkaMxFWG6SJ72tVgKpZve/h+rOs0yq0ZupViF3In8x5H0o+EdA
zEHvTYrxR62GH8ZVRP6qU5Hi8ek4PX38L0trTvve+CQSBekDGOwfEyECgYEA+EjY
H1+itpyHwO5mmbB15ZcrCtp9YuUIsDdd9dXTdt/1pTTX19NnUbhdzaJC6RIXoyQH
YUJyc8vfG+3jB/ZQUl3mCs6vM8o2seLpKClkHGtWfCaAuU/vttNbWeiFeQjgzcYI
i7PHycsGuh8MdgAE/EwMpDPXZa6ZSvLLEw1TGuMCgYEA109Ww6MlLK9+gnvJyUL7
yd7hLiuagaZBIPlnM136yNySLS8Hmau2dYW93K2v4+ZrXmoHTJVYi1GIGuPdx7dC
MmeVKSmd0k56EwHl+UmNRvxXykBUmieqb/fB7Msr7JYoXeoMJ+dSTcmDer8uvLE3
xvLyslegwX1CghJ5t1RQ5AECgYEA4IIWE8CJxLCkPLwWQLEE2ren7yeEq/FIuvdF
2m8gyWRYnqu65Wk/CvE4uSIZeOGoSBfjKHpKPhVCyOGCIogDN4e65VjhqmYWsSHr
DSroYJ5a1OaIDYmPzHUwLIuKbdiuVsPUpGbLqNgSXCiJPwZje7RU1gIeqs6HxPLo
2HB7DlsCgYEAsnj4n41Ev3aKqQykzW3sidyzumeHRiBkLOgjMWJbFW+63vQCt0wb
/2YpZbzHczv81K+VkMJrbMHwGv877ctIZCcAarnNxVspFpEb9L88an8FYjSg7lYC
HBNWhIyZ+h4zGiV5kIOAkji9pYBQuj4nwCcYDqxRrZmpL5V+7B4+Lz0=
-----END RSA PRIVATE KEY-----

Getting a Valid Certificate

Certificates are used in the system in two places. First, they are used to secure the traffic between the web browser and the web interface of the system. Second, they are used to secure the SIP traffic between the phone and the system’s signaling path.

The system by default generates a certificate, referred to as a self-signed certificate. While this provides a reasonable encryption of the traffic, it does not ensure that the client is really talking to the server. For example, it could also talk to a person in the middle that is just relaying the traffic. This essentially means that the traffic is not private any more, and since most Internet browsers are very strict regarding checking of certificates, the user must explicitly accept the untrusted certificate. Also, some IP phones do only accept SIP traffic on connections that have valid certificates. While the user of a web browser can just click and accept the certificate, a user of a phone usually does not have such a choice and the connection just fails.

Buying a Certificate

When you buy a certificate, it must be known that you are really the one who is operating a server. Although the mechanisms for this process differ, all services require that you pay for the service and that your web browser is already set up to trust the certificate authority. This mechanism is suitable if you are operating a public service where it is not an option to load root certificates on many clients. You usually also need to specify which IP addresses are using this certificate for the service.

Making Your Own Certificate

If you have access to your clients, you may also generate your own certificates. For example, you can join the community at http://cacert.org and generate them there. You will need to load the root certificate into the clients that should talk to the snom ONE system.

There are various other sites available which provide a similar service. You may also download the openSSL toolkit and compile your own certificate generator and set up your own trusted network. If you have already done this to secure your other office infrastructures (e.g., email or VPN), you can probably reuse the certificates for that.

Certificate Size and Format

The format of the certificate must be base64-encoded. You must include the private key and the certificate in the upload. Please note that uploading the private key this way might be intercepted by an intruder. You can minimize this risk by using the localhost address from the local machine.

In order to provide the key, just enter the ASCII string that you received from the trusted party, copy it into the text field, and press button The system will then present this certificate to HTTP and SIP connections that require secure communications.

If your private key starts with something like this, you need to first decrypt the key before you copy & paste it into the web interface:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E687456BA4F7D6621A98B011FA2EE4D7

You can do this using the command "openssl rsa -in server.key.secure -out server.key" (for this you need to have OpenSSL installed).