Install a certificate

Secure access is sometimes necessary and useful for some features of the system. In these circumstances it’s worth installing a valid certificate.

Installing a Certificate from the Web Interface

  1. Go to system > certificates, enter the details and click ‘Save and Generate CSR’. CSR generation page

  2. Use the CSR (certificate signing request) to request a certificate from a trusted supplier. Once you’ve recieved it, make sure it is PEM format before proceeding.

  3. Using the same page, paste the certificate at the top of the CRT text box followed by any intermediate certificates before clicking ‘Save Certificate’. Pasting in the signed CRT

  4. Go to system > shutdown / reboot and click ‘Reboot’ when convenient. Rebooting the system

Installing a Certificate from the CLI

It may be necessary to install your SSL certificate from the command line if the CSR has been generated outside of the PBX. Typically when CSR’s (certiciate signing request) are generated a private key will also be generated alongside it. This means that the private key currently installed on the PBX won’t match the modulus of the new certificate. If this is the case you will need to install it from the CLI.

Please follow the below steps to install your certificate safely and securly:

  1. Copy the full certificate chain onto the PBX using the tool of your choice. IPCortex engineers will typically use SCP. This is secure shell’s (SSH) copy tool. Your SCP command string and arguments should look similar to the below.
scp certificate_chain.crt root@pabx.hostname.com:/var/spool/asterisk/tmp

The certificate chain should be stored in one file and in the following order:

  • Sever/Domain Certificate
  • Intermediate Certificate(s)
  • Root Certificate

Your certificate authority should have labeled your certificates clearly. If not you can use tools like What’s My Chain Cert? to help you determine your correct certificate chain.

  1. Copy your private key onto the PBX in the same way. You’ll need to make sure that your private key is not encrypted with a passphrase. The private key format should begin and end with the below.
----- BEGIN RSA PRIVATE KEY -----
Contents here
----- END RSA PRIVATE KEY -----
  1. Once the full certificate chain and private key have been copied onto the PBX, you are all set to begin the certificate and private key installation.

  2. Run the following bash script, followed by the location of your private key and certificate.

changecert.sh /var/spool/asterisk/tmp/private.key /var/spool/asterisk/tmp/certificate_chain.crt
  1. After the script has finished running the new private key and certifictae would have been installed.

  2. If the script returns any error, please copy the error and raise a ticket with IPCortex Support via the partner portal.

Troubleshooting

  • If your certificate authority has provided your certificate in a password secured PFX you’ll need to extract the certificate using the following command:
openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out drlive.crt
  • If your private key is also stored in the PFX run the following command:
openssl pkcs12 -in yourfile.pfx -nocerts -out drlive.key
  • If your private key requires decrypting run the following command:
openssl rsa -in drlive.key -out drlive-decrypted.key
  • Note the above assumes you have OpenSSL installed on your local machine.