Versions Compared

Version Old Version 2 New Version 3
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for sipXecs 4.6

...

Most certificate authorities now require 2048 bit or greater certificate signing requests but by default sipXecs generates 1024 bit certificate signing requests. This can be changed by editing the script located at /usr/bin/ssl-cert/gen-ssl-keys.sh by logging into the linux command line and issuing the following command:

Code Block
perl -p -i -e 's/ServerKeyBits=1024/ServerKeyBits=2048/g' /usr/bin/ssl-cert/gen-ssl-keys.sh

Once you have run this command log into the sipXecs web portal as a user with administrative rights (such as superadmin). Once you have logged in, browse to System >> Certificates. You will be presented with the Generate CSR page. Enter the correct information for all fields, then click Generate. The 2048 bit certificate signing request will be generated. Submit this certificate signing request to the certificate authority you wish to sign the certificate.

Preparing For SSL Certificate Installation: CA Chaining Certificates

Most certificate authorities now implement CA chaining as a method of verifying smaller certificate signing authorities against larger, more well-known signing authorities. These chaining certificates must be installed alongside the SSL certificate issued by the certificate signing authority. Since there is not currently a method to upload these chain certificates separately from the web certificate, the chain certificate(s) must be included in the same file as the SSL web certificate, pasted in above the SSL web certificate. For example, if you SSL web certificate is as follows:

Code Block
-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgIEAVNtwzANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG2w0BCQEWFG1zdGVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NDMyNFoXDTIyMDQxNTE4NDMyNFowgb8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVQQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAzU2VydmljZXMxLzAtBgNVBAMTJmVadWNl
LCBJbmMuIFZvSVAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYJKoZIhvcNAQkB
FhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBwMGusq/sZ3EiX+gzUrQIZjZcvwPX/K0daHS/pb2rg8UbCdiA0H+0+ScV
uy/d5ALekJLrUFRnHHde4RAh1ltibc8BAe3x9dlsM/dWVXxzYceSF9e6xa4Wr6Jp
kRfEb88tw1Di7WUUp5rTr2MmiikAHdt3z4TkDNGj4RWrrFBjXM4X3WZR1X5tQp+Y
t34DcUUZ+duY2r2GiB3U1oAFU+FLPe9C1WP7uXXt0cycprBjZp0hsdIScjKGoc7D
YeoPIoxTdHjo1iyNMx+AAYDOS9Di2eqpIcpMn0quL1U+37L8vja7aadxMjo1QpuK
OhF6j4TZcRQPFHNOLfZ3NNXoBNKGmeECAwEAAaNmMGQwDwYDVR0TBAgwBgEB/wIB
ADA+BglghkgBhvhCAQ0EMRYvZ2VuLXNzbC1rZXlzLnNoIGdlbmVyYXRlZCBjdXN0
b20gQ0EgY2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEB
BQUAA4IBAQBMGCGooRThwpR7ZFPtsSbDcU6IEaXs6DJ8q+F82JCdurAggJO3cFkG
QgMi5lacM68MMfFcV5NeLF60CXcAdWDydWJiSVYETKtPD9reKSHG6I5gFRdymG2D
/3jsYW55sNcbSdpWO25SzsOhSk1Qyds2ODTpgXWoJfbfUosfORKAzsYZuOKoGYbN
4o2dqsUuVJDjDstqwTi+DOb6sMCNtwTrAgidS4HqWKacodhepDVHyubzeltehLUg
U6iDJ9YMypSle1m/ydwpmWVguIVCKzQ4Ko+PZDDeU/HsxOWW+nYaBkD/4w0/lVSs
MXxpJysLBrDYQrqg2GBQ2wTzOHS73KbR
-----END CERTIFICATE-----

And your intermediate chain certificate provided by your certificate signing authority is as follows:

Code Block
-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIEAVNtxjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG9w0BCQEWFG1zdsVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NTEwOFoXDTE1MDQxNzE4NTEwOFowgaQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVaQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAgU2VydmljZXMxFDASBgNVBAMUCyouZXp1
Y2UuY29tMSMwIQYJKoZIhvcNAQkBFhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbCED7ozZc2tUICVwq6G5YvBLK+
MYeq26u+sA4ABAWAoKYQhMAuz6yWRUkfVFwke+78V2RJYvztGi3mv8ESm6ynvUl4
R69/uVhAFSHKtOkgS4X4r1Pmw/r8f7gcfjqWR6O0dQfOIB2s1ecnJE14pfS52KWr
ngK53DwQl2SPUq5D/s+MHdJnR0164a9UP/M0rLArWQ5vTcTJOxteZpiDfsNB9hv7
AM5I+9U+HauKxxk81IYK242fXJzSiHtoediX47yI48gYEot7IsssRS2+WXnY+STe
++Zotp9hIuZYXnCkxGA8nGSV9qcaUiZU1XiUyP6EAe97pGQdvcGFDCnNDhsCAwEA
AaNEMEIwCQYDVR0TBAIwADAWBgNVHREEDzANggsqLmV6dWNlLmNvbTAdBgNVHQ4E
FgQUyuGytjrX68oVYU9cGOl4elmQOgkwDQYJKoZIhvcNAQEFBQADggEBABBlETiL
HPU+yj9S10uDxYB/9NFxCTAfU1EKZV2gLtGa0vT9lxDUZdTxtX3yaRyiLHttHuGM
73z18TLNaq3s/UfED0Fi8ZHitev18RQ0jlnJyCq6zijoCcvz2911TeSwLsABI60P
85c0xqelvnKy8lSv+XiZMUEzep9tSfU+7kOZHUHcEv/tA3sp6ZMCFH0+r4Upc4EI
krwN9bhNKtKh6KB8CP5Q0wPMe9nGAwnNnF7Zeno3lxl5LNJXJsjT3CvRn9xwHtIC
GHWeiX2p4jL0FhIX9eNBk2Yqwqpj1r+mAhaX9eg044m43O0DMHWlm9TyhNnm8SSC
GuWa0opKuGa/E/w=
-----END CERTIFICATE-----

Then you would combine these into one certificate file with the chaining certificate(s) before the SSL web certificate:

Code Block
-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIEAVNtxjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG9w0BCQEWFG1zdsVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NTEwOFoXDTE1MDQxNzE4NTEwOFowgaQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVaQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAgU2VydmljZXMxFDASBgNVBAMUCyouZXp1
Y2UuY29tMSMwIQYJKoZIhvcNAQkBFhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbCED7ozZc2tUICVwq6G5YvBLK+
MYeq26u+sA4ABAWAoKYQhMAuz6yWRUkfVFwke+78V2RJYvztGi3mv8ESm6ynvUl4
R69/uVhAFSHKtOkgS4X4r1Pmw/r8f7gcfjqWR6O0dQfOIB2s1ecnJE14pfS52KWr
ngK53DwQl2SPUq5D/s+MHdJnR0164a9UP/M0rLArWQ5vTcTJOxteZpiDfsNB9hv7
AM5I+9U+HauKxxk81IYK242fXJzSiHtoediX47yI48gYEot7IsssRS2+WXnY+STe
++Zotp9hIuZYXnCkxGA8nGSV9qcaUiZU1XiUyP6EAe97pGQdvcGFDCnNDhsCAwEA
AaNEMEIwCQYDVR0TBAIwADAWBgNVHREEDzANggsqLmV6dWNlLmNvbTAdBgNVHQ4E
FgQUyuGytjrX68oVYU9cGOl4elmQOgkwDQYJKoZIhvcNAQEFBQADggEBABBlETiL
HPU+yj9S10uDxYB/9NFxCTAfU1EKZV2gLtGa0vT9lxDUZdTxtX3yaRyiLHttHuGM
73z18TLNaq3s/UfED0Fi8ZHitev18RQ0jlnJyCq6zijoCcvz2911TeSwLsABI60P
85c0xqelvnKy8lSv+XiZMUEzep9tSfU+7kOZHUHcEv/tA3sp6ZMCFH0+r4Upc4EI
krwN9bhNKtKh6KB8CP5Q0wPMe9nGAwnNnF7Zeno3lxl5LNJXJsjT3CvRn9xwHtIC
GHWeiX2p4jL0FhIX9eNBk2Yqwqpj1r+mAhaX9eg044m43O0DMHWlm9TyhNnm8SSC
GuWa0opKuGa/E/w=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgIEAVNtwzANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG2w0BCQEWFG1zdGVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NDMyNFoXDTIyMDQxNTE4NDMyNFowgb8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVQQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAzU2VydmljZXMxLzAtBgNVBAMTJmVadWNl
LCBJbmMuIFZvSVAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYJKoZIhvcNAQkB
FhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBwMGusq/sZ3EiX+gzUrQIZjZcvwPX/K0daHS/pb2rg8UbCdiA0H+0+ScV
uy/d5ALekJLrUFRnHHde4RAh1ltibc8BAe3x9dlsM/dWVXxzYceSF9e6xa4Wr6Jp
kRfEb88tw1Di7WUUp5rTr2MmiikAHdt3z4TkDNGj4RWrrFBjXM4X3WZR1X5tQp+Y
t34DcUUZ+duY2r2GiB3U1oAFU+FLPe9C1WP7uXXt0cycprBjZp0hsdIScjKGoc7D
YeoPIoxTdHjo1iyNMx+AAYDOS9Di2eqpIcpMn0quL1U+37L8vja7aadxMjo1QpuK
OhF6j4TZcRQPFHNOLfZ3NNXoBNKGmeECAwEAAaNmMGQwDwYDVR0TBAgwBgEB/wIB
ADA+BglghkgBhvhCAQ0EMRYvZ2VuLXNzbC1rZXlzLnNoIGdlbmVyYXRlZCBjdXN0
b20gQ0EgY2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEB
BQUAA4IBAQBMGCGooRThwpR7ZFPtsSbDcU6IEaXs6DJ8q+F82JCdurAggJO3cFkG
QgMi5lacM68MMfFcV5NeLF60CXcAdWDydWJiSVYETKtPD9reKSHG6I5gFRdymG2D
/3jsYW55sNcbSdpWO25SzsOhSk1Qyds2ODTpgXWoJfbfUosfORKAzsYZuOKoGYbN
4o2dqsUuVJDjDstqwTi+DOb6sMCNtwTrAgidS4HqWKacodhepDVHyubzeltehLUg
U6iDJ9YMypSle1m/ydwpmWVguIVCKzQ4Ko+PZDDeU/HsxOWW+nYaBkD/4w0/lVSs
MXxpJysLBrDYQrqg2GBQ2wTzOHS73KbR
-----END CERTIFICATE-----

Save this certificate on your computer for uploading.

Installing SSL Web Certificate

via sipXecs Web Portal

. Creation of 2048 bit certificates from sipXconfig is not yet supported. Alternatively, a 2048 bit CSR can be generated from the command line, changing the output filenames to match your certificate name:

Code Block
openssl req -nodes -newkey rsa:2048 -keyout sipx.ezuce.com.key -out sipx.ezuce.com.csr
Note

Fill in the requested values with your own information. The most important of these is Common Name which will be the hostname of your configuration server. If creating a CSR for a wildcard certificate, you will need to enter *.domain.tld where domain.tld is the top level domain of your server.

Warning

Wildcard certificates only support one subdomain level. What this means is that if your server name is server.subdomain.domain.tld and you register a wildcard certificate only for *.domain.tld your certificate will not be recognized by any browser. You would need to purchase a wildcard certificate for *.subdomain.domain.tld for the wildcard certificate to be properly recognized.

Code Block
Generating a 2048 bit RSA private key
.....+++
.........................+++
writing new private key to 'sipx.ezuce.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Andover
Organization Name (eg, company) [Default Company Ltd]:eZuce, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:sipx.ezuce.com
Email Address []:sipx@ezuce.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Copy the certificate signing request file and the private key from the server using a SFTP/SCP program such as WinSCP. Once copied, you may now submit the resulting CSR to you SSL provider. Be sure to back up your key to a safe place.

Preparing For SSL Certificate Installation: CA Chaining Certificates

Most certificate authorities now implement CA chaining as a method of verifying smaller certificate signing authorities against larger, more well-known signing authorities. These chaining certificates must be installed alongside the SSL certificate issued by the certificate signing authority. sipXecs now allows direct uploading of chaining certificates under System >> Certificates >> Import Web Certificate.

Installing SSL Web Certificate

log into the sipXecs web portal as a user with administrative rights (such as superadmin). Once you have logged in, browse to System >> Certificates. Choose Import Web Certificate on the left pane. Click Choose File or Browse (depending on your browser) and select the SSL certificate and optionally the Key File, Certificate Chain File and/or CA Certificate File to upload. Once you have selected the certificatecertificates, click the Import button. sipXecs will restart the configuration interface with the new SSL web certificate.

via Manual Installation

If the sipXecs web portal is unable to verify or install your certificate you will need to perform a manual installation of the SSL web certificate. This will involve transferring the certificate file to the server via SFTP. Use your favorite SCP/SFTP program to accomplish this (WinSCP is a popular SCP/SFTP program available at http://www.winscp.net ). Once you have established an SFTP connection with the sipXecs server, copy your SSL certificate file (we’ll assume the SSL certificate is names webcert.crt) to /etc/sipxpbx/ssl . Now log into the linux command line and issue the following commands:

Backup the current SSL certificate, key, and keystore:

Code Block
mkdir ~/sslbackup && cp /etc/sipxpbx/ssl/ssl-web.* ~/sslbackup

Replace current SSL web certificate

Code Block
rm -f /etc/sipxpbx/ssl/ssl-web.crt	
mv /etc/sipxpbx/ssl/webcert.crt /etc/sipxpbx/ssl/ssl-web.crt

Change ownership and permissions of the SSL web certificate:

Code Block
chown sipxchange:root /etc/sipxpbx/ssl/ssl-web.crt
chmod 0600 /etc/sipxpbx/ssl/ssl-web.crt

Stop sipXecs service:

Code Block
service sipxecs stop

Remove the SSL web keystore:

Code Block
rm -f /etc/sipxpbx/ssl/ssl-web.keystore

Start sipXecs service:

Code Block
service sipxecs start

Known Issues

...

import the certificates but you should restart Apache manually by invoking the following command:

Code Block
service httpd restart

You may have to close and reopen your browser for the SSL certificate to properly validate

Warning

Changing the SSL Web certificate will also change the openfire IM server certificate