ScopTEL - Certificate Manager

ScopTEL - Certificate Manager

Certificate Pre-Requisites


Self Signed Certificates are generally not supported by phone Manufacturer’s therefore it is recommended you check with your phone hardware vendor to see which Certificate Authorities are supported.

You will first have to use the ScopTEL Certificate Manager to create your own Certificate Signing Request in order to purchase a Signed Certificate from a supported Certificate Authority

Most Certificate Authorities will provide you with a Root Certificate and a Chained Certificate (Chained Certificates are not mandatory but are very commonplace).

Once you have the Root CA, Certificate Chain, and a Signed Certificate from a supported Certificate Authority you can use the ScopTEL Certificate Manager to create Certificates for the following purposes:

Encrypting GUI communications using SSL (HTTPS)

Encrypting Phone Provisioning files during phone download using SSL (HTTPS)

Encrypting SIP signalling with SSL (TLS)

Encrypting SIP audio streams with SSL (SRTP)

 

Creating the CSR – Certificate Manager

Click on Add a New CSR

Fill in all the required fields

If you are purchasing a Wildcard Certificate put a *. In from of your domain name in the Common Name Field

Example: *.yourdomain.com

When done click on the Key Settings Tab




Key Settings

Select a Digest Algorithm supported by your IP phone’s manufacturer

It is recommended to choose a Key Size of at least 2048 bits

Passphrase is not required

Click Add when done




Download your CSR





Copy and Paste your Certificate Request to your Certificate Authority when you your purchase your CA for Domain Validation.
Wait for your CA to send you your Certificate before generating your  Certificate

You will copy and paste the Private Key Data into your Server Authentication Certificate in a later step


Import a Certificate (Root CA)


Copy and Paste your CA’s Root CA into the text box and click Add


 
Give your Certificate a name

Select Import Certificate & Key = Signed Certificate

Then click on the Certificate & Key tab

 

Copy and Paste your CA’s Signed Certificate data into the Signed Certificate text box

Copy and Paste your CSR’s Private Key data into the Private Key text box

Click Add when done



Certificate Chain


Certificate Type = Intermediate and Chain Certificate

Certificate Name: Enter a name in the text field

Click on the Certificate tab

Copy and Paste the Certificate Chain data you received from your CA when they issued your Certificate

Click Add when done



Configuring the Server to Enable SSL (GUI)


Go to Server|Configuration and click on the Security (SSL) Tab

Enable SSL (GUI)?

For the Private Key select your Certificate

For the Certificate select the same Certificate

Highlight the Certificate Chain you created earlier

Click Save

The Web server will restart once you click save and you will have to login to your server replacing http://yourserver.com:5555/ with https://yourserver.com:5555/




Configuring the Server to use HTTPS Provisioning for your IP Phones


Go to Server|Configuration and click on the Provisioning Tab

From the HTTPS Provisioning Menu change the HTTP Protocol to HTTPS

Enter the LAN or WAN address specific to your server in each field (the screen shot only displays examples)

Click Save

The Web server will restart



Configuring Telephony – Channels - SIP Channel


Enable support for SIP TLS (Secure)

Select your Certificate

Highlight your Certificate Chain

Click Save

Commit your Telephony changes

Restart the Telephony Server using the Telephony Services menu



Set the Method to support your certs
You can query supported methods with this command:
openssl s_client -connect <hostname/IP>:5061 -showcerts
Default Method is automatic but some certs may require manual configuration of method if they do not support tlsv1_2
In that scenario select TLS v1.2
Save, commit, restart asterisk when done.



Configure the Firewall to allow 5060/udp 5060-5061/tcp 4569/udp 10000-20000/udp

After editing this rule use the Network Service Manager to restart the Firewall



Configuring Telephony – Extension – Phone Options


Edit an extension’s Phone Options so that it will use Transport Mode TLS and Enable SRTP encryption AES 80
Save and Commit your changes



Snom


In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning URL and by selecting the  certificates you created earlier.

Then click on the Options tab when done



Options


Edit the path for the Certificate URL to include https and select the Certificates you created earlier

Then click on the Servers tab when done



Servers


Change both  the Registrar Port and Proxy Port to 5061
You must enter both the Registrar and SIP Proxy IP.  If you are using IP/DNS mapping use the the dummy address.

Then click on the PBX Services tab when done


Change the GUI Protocol selection to HTTPS
In the GUI Server (hostname or IP) field enter the required IP address or Fully Qualified Host Name of the server

Click Add when done



Adding or Editing a Snom MAC address


Choose the desired Tenant

Choose the Desired Phone Model

Choose the desired Template

Enter the Phone's MAC address

Click on the Lines tab when done





Lines


Click on the Lines tab

Assign an extension to Line 1 (other lines are optional)

Enable Secure RTP (SRTP) must be checked

Only Accept SRTP (secure) calls must be checked

Enable TLS transport must be checked

Save your changes





Commit APS changes


Reboot the phone so it downloads its new configuration files after committing your changes.

Polycom


In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning URL and by selecting the  certificates you created earlier.

Then click on the Lines tab




Lines


Enable SRTP (secure) calls?
Then click on the Servers tab


Servers


Change the SIP Transport to TLS

Change the SIP Proxy Port to 5061

Click on the PBX Services Tab when done




PBX Services


Change the GUI Protocol to use HTTPS

And edit the GUI Server (Hostname or IP) to match your required configuration.

Click Add when done

Provision MAC addresses for your Polycom phones and apply the template to each required phone

Commit Telephony changes

Commit APS changes

Reboot the phone so it can download its required configuration files


 

Edit the MAC address object of your Polycom phone


Select the desired Tenant

Choose the correct Phone Model from the list

Choose the Phone Template you configured with HTTPS parameters

Click on the Lines tab and assign an extension

Save your settings

Commit Telephony changes

Commit APS changes

Reboot the phone to download the configuration files




In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning and Firmware URL and by selecting the  certificates you created earlier.

Then click on the Server tab




Server


Enter the IP address or IP/DNS Mapping address

Change the Registrar Port to 5061

Then click on the PBX Services tab



PBX Services


Change the GUI Protocol to use HTTPS

And edit the GUI Server (Hostname or IP) to match your required configuration.





Select the desired Tenant

Choose the correct Phone Model from the list

Choose the Phone Template you configured with HTTPS parameters

Click on the Lines tab and assign an extension




Choose Transport: TLS

Enable Voice Encryption (SRTP)

Save your settings


Applying Changes to Extensions and mac.cfg files


Commit Telephony changes

Commit APS changes

Reboot the phone to download the configuration files. You can use Tools|Telephony|Mass Phone Reboot

If you want to force a sync of a registered Polycom phone you can do so manually in the Asterisk CLI with this command:
sip notify polycom-check-cfg <ip address of peer>

Verifying Operation


In the Asterisk CLI

sip*CLI> sip show tcp

Address                                         Transport       Type

192.168.192.191:12501                 TLS     Client

192.168.192.191:11880                 TLS              Server

192.168.192.6:2057                        TLS              Server

192.168.192.6:2075                        TLS              Server

 
Transport TLS confirms that the peer is configured to use TLS.

If you want to check the validity of your SSL Certificate use this URL :

https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

 

 


    • Related Articles

    • General-Presentation-ScopTEL-ENGLISH

      ScopServ – The Company  ScopServ is a Canadian firm founded in 2004, specializing in information technology.  It designs high-end corporate applications and holds the intellectual property rights for its products and solutions.  A strong actor in ...

    • ScopSERV Introduces New Telephony Import/Export Manager to Migrate Multi Tenants

      Overview In the past backing up and restoring a telephony configuration meant overwriting any existing telephony configuration. While this is expected behaviour for a backup and restore it didn't offer any convenience for administrators wanting to ...

    • ScopTEL Telephony Feature List

      ScopTEL Telephony Feature List ScopTEL has many applications and many Enterprise PBX features. This is a list of PBX Features. Feature Name Extended Description Fax Server Fax to Email Email to Fax (Clientless) Per User Licensing Model Customizable ...

    • Module 8 - ScopTEL IP PBX Software - Extensions Management

      Security | Background SIP Phones are SIP User Agents. For security, SIP User Agents must register to the SIP Registrar via username and password authentication. It is typical for the SIP protocol ports to be open or forwarded to the ScopTEL server if ...

    • ScopTEL IP PBX Software - Basic Installation Hierarchy for Telephony Server

      Basic Installation Hierarchy for Telephony Server Therefore the purpose of this document is to provide a visual walkthrough of a very basic but functional installation for one tenant. This tutorial does not include an overview of the overall network ...