Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

The default SSL web certificates in sipXecs are self-signed certificates, meaning there is not a valid certificate authority to verify them against. This results in popular web browsers such as Microsoft Internet Explorer, Google Chrome, Apple Safari, and Mozilla Firefox displaying onerous messages regarding website security when accessing the sipXecs web portal. This guide will step the sipXecs administrator through generating a certificate signing request (CSR) and installing the new web certificates.

Generating a 1024 bit Certificate Signing Request (CSR)

To generate a 1024 bit certificate signing request in sipXecs log in as a user with administrative rights (such as superadmin). Once you have logged in, browse to System >> Certificates. You will be presented with the Generate CSR page. Enter the correct information for all fields, then click Generate. The 1024 bit certificate signing request will be generated. Submit this certificate signing request to the certificate authority you wish to sign the certificate.

Generating a 2048 bit Certificate Signing Request (CSR)

Most certificate authorities now require 2048 bit certificate signing requests but by default sipXecs generates 1024 bit certificate signing requests. This can be changed by editing the script located at /usr/bin/ssl-cert/gen-ssl-keys.sh by logging into the linux command line and issuing the following command:

perl -p -i -e 's/ServerKeyBits=1024/ServerKeyBits=2048/g' /usr/bin/ssl-cert/gen-ssl-keys.sh

Once you have run this command log into the sipXecs web portal as a user with administrative rights (such as superadmin). Once you have logged in, browse to System >> Certificates. You will be presented with the Generate CSR page. Enter the correct information for all fields, then click Generate. The 2048 bit certificate signing request will be generated. Submit this certificate signing request to the certificate authority you wish to sign the certificate.

Preparing For SSL Certificate Installation: CA Chaining Certificates

Most certificate authorities now implement CA chaining as a method of verifying smaller certificate signing authorities against larger, more well-known signing authorities. These chaining certificates must be installed alongside the SSL certificate issued by the certificate signing authority. Since there is not currently a method to upload these chain certificates separately from the web certificate, the chain certificate(s) must be included in the same file as the SSL web certificate, pasted in above the SSL web certificate. For example, if you SSL web certificate is as follows:

-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgIEAVNtwzANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG2w0BCQEWFG1zdGVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NDMyNFoXDTIyMDQxNTE4NDMyNFowgb8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVQQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAzU2VydmljZXMxLzAtBgNVBAMTJmVadWNl
LCBJbmMuIFZvSVAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYJKoZIhvcNAQkB
FhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBwMGusq/sZ3EiX+gzUrQIZjZcvwPX/K0daHS/pb2rg8UbCdiA0H+0+ScV
uy/d5ALekJLrUFRnHHde4RAh1ltibc8BAe3x9dlsM/dWVXxzYceSF9e6xa4Wr6Jp
kRfEb88tw1Di7WUUp5rTr2MmiikAHdt3z4TkDNGj4RWrrFBjXM4X3WZR1X5tQp+Y
t34DcUUZ+duY2r2GiB3U1oAFU+FLPe9C1WP7uXXt0cycprBjZp0hsdIScjKGoc7D
YeoPIoxTdHjo1iyNMx+AAYDOS9Di2eqpIcpMn0quL1U+37L8vja7aadxMjo1QpuK
OhF6j4TZcRQPFHNOLfZ3NNXoBNKGmeECAwEAAaNmMGQwDwYDVR0TBAgwBgEB/wIB
ADA+BglghkgBhvhCAQ0EMRYvZ2VuLXNzbC1rZXlzLnNoIGdlbmVyYXRlZCBjdXN0
b20gQ0EgY2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEB
BQUAA4IBAQBMGCGooRThwpR7ZFPtsSbDcU6IEaXs6DJ8q+F82JCdurAggJO3cFkG
QgMi5lacM68MMfFcV5NeLF60CXcAdWDydWJiSVYETKtPD9reKSHG6I5gFRdymG2D
/3jsYW55sNcbSdpWO25SzsOhSk1Qyds2ODTpgXWoJfbfUosfORKAzsYZuOKoGYbN
4o2dqsUuVJDjDstqwTi+DOb6sMCNtwTrAgidS4HqWKacodhepDVHyubzeltehLUg
U6iDJ9YMypSle1m/ydwpmWVguIVCKzQ4Ko+PZDDeU/HsxOWW+nYaBkD/4w0/lVSs
MXxpJysLBrDYQrqg2GBQ2wTzOHS73KbR
-----END CERTIFICATE-----

And your intermediate chain certificate provided by your certificate signing authority is as follows:

-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIEAVNtxjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG9w0BCQEWFG1zdsVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NTEwOFoXDTE1MDQxNzE4NTEwOFowgaQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVaQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAgU2VydmljZXMxFDASBgNVBAMUCyouZXp1
Y2UuY29tMSMwIQYJKoZIhvcNAQkBFhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbCED7ozZc2tUICVwq6G5YvBLK+
MYeq26u+sA4ABAWAoKYQhMAuz6yWRUkfVFwke+78V2RJYvztGi3mv8ESm6ynvUl4
R69/uVhAFSHKtOkgS4X4r1Pmw/r8f7gcfjqWR6O0dQfOIB2s1ecnJE14pfS52KWr
ngK53DwQl2SPUq5D/s+MHdJnR0164a9UP/M0rLArWQ5vTcTJOxteZpiDfsNB9hv7
AM5I+9U+HauKxxk81IYK242fXJzSiHtoediX47yI48gYEot7IsssRS2+WXnY+STe
++Zotp9hIuZYXnCkxGA8nGSV9qcaUiZU1XiUyP6EAe97pGQdvcGFDCnNDhsCAwEA
AaNEMEIwCQYDVR0TBAIwADAWBgNVHREEDzANggsqLmV6dWNlLmNvbTAdBgNVHQ4E
FgQUyuGytjrX68oVYU9cGOl4elmQOgkwDQYJKoZIhvcNAQEFBQADggEBABBlETiL
HPU+yj9S10uDxYB/9NFxCTAfU1EKZV2gLtGa0vT9lxDUZdTxtX3yaRyiLHttHuGM
73z18TLNaq3s/UfED0Fi8ZHitev18RQ0jlnJyCq6zijoCcvz2911TeSwLsABI60P
85c0xqelvnKy8lSv+XiZMUEzep9tSfU+7kOZHUHcEv/tA3sp6ZMCFH0+r4Upc4EI
krwN9bhNKtKh6KB8CP5Q0wPMe9nGAwnNnF7Zeno3lxl5LNJXJsjT3CvRn9xwHtIC
GHWeiX2p4jL0FhIX9eNBk2Yqwqpj1r+mAhaX9eg044m43O0DMHWlm9TyhNnm8SSC
GuWa0opKuGa/E/w=
-----END CERTIFICATE-----

Then you would combine these into one certificate file with the chaining certificate(s) before the SSL web certificate:

-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIEAVNtxjANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG9w0BCQEWFG1zdsVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NTEwOFoXDTE1MDQxNzE4NTEwOFowgaQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVaQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAgU2VydmljZXMxFDASBgNVBAMUCyouZXp1
Y2UuY29tMSMwIQYJKoZIhvcNAQkBFhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbCED7ozZc2tUICVwq6G5YvBLK+
MYeq26u+sA4ABAWAoKYQhMAuz6yWRUkfVFwke+78V2RJYvztGi3mv8ESm6ynvUl4
R69/uVhAFSHKtOkgS4X4r1Pmw/r8f7gcfjqWR6O0dQfOIB2s1ecnJE14pfS52KWr
ngK53DwQl2SPUq5D/s+MHdJnR0164a9UP/M0rLArWQ5vTcTJOxteZpiDfsNB9hv7
AM5I+9U+HauKxxk81IYK242fXJzSiHtoediX47yI48gYEot7IsssRS2+WXnY+STe
++Zotp9hIuZYXnCkxGA8nGSV9qcaUiZU1XiUyP6EAe97pGQdvcGFDCnNDhsCAwEA
AaNEMEIwCQYDVR0TBAIwADAWBgNVHREEDzANggsqLmV6dWNlLmNvbTAdBgNVHQ4E
FgQUyuGytjrX68oVYU9cGOl4elmQOgkwDQYJKoZIhvcNAQEFBQADggEBABBlETiL
HPU+yj9S10uDxYB/9NFxCTAfU1EKZV2gLtGa0vT9lxDUZdTxtX3yaRyiLHttHuGM
73z18TLNaq3s/UfED0Fi8ZHitev18RQ0jlnJyCq6zijoCcvz2911TeSwLsABI60P
85c0xqelvnKy8lSv+XiZMUEzep9tSfU+7kOZHUHcEv/tA3sp6ZMCFH0+r4Upc4EI
krwN9bhNKtKh6KB8CP5Q0wPMe9nGAwnNnF7Zeno3lxl5LNJXJsjT3CvRn9xwHtIC
GHWeiX2p4jL0FhIX9eNBk2Yqwqpj1r+mAhaX9eg044m43O0DMHWlm9TyhNnm8SSC
GuWa0opKuGa/E/w=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgIEAVNtwzANBgkqhkiG9w0BAQUFADCBvzELMAkGA1UEBhMC
VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC05ld2J1cnlwb3J0
MRQwEgYDVQQKEwtlWnVjZSwgSW5jLjEWMBQGA1UECxMNVm9JUCBTZXJ2aWNlczEv
MC0GA1UEAxMmZVp1Y2UsIEluYy4gVm9JUCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
IzAhBgkqhkiG2w0BCQEWFG1zdGVpbm1hbm5AZXp1Y2UuY29tMB4XDTEyMDQxNzE4
NDMyNFoXDTIyMDQxNTE4NDMyNFowgb8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1N
YXNzYWNodXNldHRzMRQwEgYDVQQHEwtOZXdidXJ5cG9ydDEUMBIGA1UEChMLZVp1
Y2UsIEluYy4xFjAUBgNVBAsTDVZvSVAzU2VydmljZXMxLzAtBgNVBAMTJmVadWNl
LCBJbmMuIFZvSVAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYJKoZIhvcNAQkB
FhRtc3RlaW5tYW5uQGV6dWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBwMGusq/sZ3EiX+gzUrQIZjZcvwPX/K0daHS/pb2rg8UbCdiA0H+0+ScV
uy/d5ALekJLrUFRnHHde4RAh1ltibc8BAe3x9dlsM/dWVXxzYceSF9e6xa4Wr6Jp
kRfEb88tw1Di7WUUp5rTr2MmiikAHdt3z4TkDNGj4RWrrFBjXM4X3WZR1X5tQp+Y
t34DcUUZ+duY2r2GiB3U1oAFU+FLPe9C1WP7uXXt0cycprBjZp0hsdIScjKGoc7D
YeoPIoxTdHjo1iyNMx+AAYDOS9Di2eqpIcpMn0quL1U+37L8vja7aadxMjo1QpuK
OhF6j4TZcRQPFHNOLfZ3NNXoBNKGmeECAwEAAaNmMGQwDwYDVR0TBAgwBgEB/wIB
ADA+BglghkgBhvhCAQ0EMRYvZ2VuLXNzbC1rZXlzLnNoIGdlbmVyYXRlZCBjdXN0
b20gQ0EgY2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEB
BQUAA4IBAQBMGCGooRThwpR7ZFPtsSbDcU6IEaXs6DJ8q+F82JCdurAggJO3cFkG
QgMi5lacM68MMfFcV5NeLF60CXcAdWDydWJiSVYETKtPD9reKSHG6I5gFRdymG2D
/3jsYW55sNcbSdpWO25SzsOhSk1Qyds2ODTpgXWoJfbfUosfORKAzsYZuOKoGYbN
4o2dqsUuVJDjDstqwTi+DOb6sMCNtwTrAgidS4HqWKacodhepDVHyubzeltehLUg
U6iDJ9YMypSle1m/ydwpmWVguIVCKzQ4Ko+PZDDeU/HsxOWW+nYaBkD/4w0/lVSs
MXxpJysLBrDYQrqg2GBQ2wTzOHS73KbR
-----END CERTIFICATE-----

Save this certificate on your computer for uploading.

Installing SSL Web Certificate

via sipXecs Web Portal

log into the sipXecs web portal as a user with administrative rights (such as superadmin). Once you have logged in, browse to System >> Certificates. Choose Import Web Certificate on the left pane. Click Choose File or Browse (depending on your browser) and select the SSL certificate to upload. Once you have selected the certificate, click the Import button. sipXecs will restart the configuration interface with the new SSL web certificate.

via Manual Installation

If the sipXecs web portal is unable to verify or install your certificate you will need to perform a manual installation of the SSL web certificate. This will involve transferring the certificate file to the server via SFTP. Use your favorite SCP/SFTP program to accomplish this (WinSCP is a popular SCP/SFTP program available at http://www.winscp.net ). Once you have established an SFTP connection with the sipXecs server, copy your SSL certificate file (we'll assume the SSL certificate is names webcert.crt) to /etc/sipxpbx/ssl . Now log into the linux command line and issue the following commands:

Backup the current SSL certificate, key, and keystore:

mkdir ~/sslbackup && cp /etc/sipxpbx/ssl/ssl-web.* ~/sslbackup

Replace current SSL web certificate

rm -f /etc/sipxpbx/ssl/ssl-web.crt	
mv /etc/sipxpbx/ssl/webcert.crt /etc/sipxpbx/ssl/ssl-web.crt

Change ownership and permissions of the SSL web certificate:

chown sipxchange:root /etc/sipxpbx/ssl/ssl-web.crt
chmod 0600 /etc/sipxpbx/ssl/ssl-web.crt

Stop sipXecs service:

service sipxecs stop

Remove the SSL web keystore:

rm -f /etc/sipxpbx/ssl/ssl-web.keystore

Start sipXecs service:

service sipxecs start

Known Issues

  1. Wildcard (*.domain.tld) SSL certificates are not supported at this time. Support is planned in version 4.6 of sipXecs
  2. SSL web certificate import using the sipXecs web portal has known issues. If you are presented with an error when attempting to import a certificate, you will need to manually install your certificate.
  • No labels