The Certificate Management module is used to manage certificates on your FreePBX server.
- From the top menu click Admin
- In the drop down click Certificate Management
On first login to your PBX a default self-signed certificate will have been created for you.
To add a new certificate click this button and select from one of the three drop downs.
Generate Let's Encrypt Certificate
Let's Encrypt Certificates are completely 100% free certificates that are generated via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. Your PBX implements this same automated process.
This process requires port 80 access to your PBX from outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org and mirror2.freepbx.org. Using System Admin, Port Management, configure either the Admin interface or UCP to respond on port 80.
If you have the Commercial (Full) Sysadmin module, you can specify that a 'LetsEncrypt Only' service listens on port 80. See the Port Management page for more information.
There are several required options to generate a Let's Encrypt Certificate
- Certificate Host Name: The hostname you want to use for your certificate. This must be a fully qualified domain name that points back to your PBX.
- Owners Email: Your email address. This email is provided to Let's Encrypt to send you important information about your certificate
- Challenge Over: The only option here is HTTP (Port 80). The port can NOT be changed.
- Country: The country where you are located
- State/Province/Region: The state/Province where you are located
Once you are finished click "Generate Certificate". Your certificate will be added and will be automatically update approximately every 2 months
- Name: Certificate Name. Usually the hast name
- Description: Certificate description
- Passphrase:The Passphrase of the Private Key. This will be used to decrypt the private key and the certificate. They will be stored unpassworded on the system to prevent service disruptions.
- CSR Reference:Certificate Signing Request to reference. If 'None' is selected then you will be able to upload your own private key
- Private Key: Paste your private key here
- Certificate: Paste your certificate here
- Trusted Chain: Paste your trusted chain here
In order to view the certs to copy, you must open the TLS files using a plain text editor, and not necessarily the default application configured on the workstation.
Once you are finished click "Upload Certificate".
Generate Self-Signed Certificate
Self Signed Certificates are not recommended as many browsers outright reject these certificates, they can, however, be useful for internal testing
Your PBX also generates a self signed certificate on first boot
If you have previously deleted the self-signed CA when you go to create a new self-signed certificate your screen will look like this:
- Host Name: The hostname of the system. Should be a fully qualified domain name
- Description: Description of this certificate
- Organization Name: Organization name, Used in the Certificate Authority generation process
Otherwise the New Certificate screen will look like this:
- Host Name:The hostname of the system. Should be a fully qualified domain name
- Description: The description of the certificate
- Certificate Authority: The Certificate Authority that will generate this certificate. You can delete the CA from this page as well by clicking this icon
Once you are finished click "Generate Certificate".
Generate CSR (Certificate Signing Request)
You can generate a CSR from your PBX to be used for the process of obtaining certificates from valid certificate authorities online
- Name: The name of this CSR
- Common Name (CN): The common name (also known as hostname)
- Organization Name (O): Organization Name such as Sangoma Technologies, Inc.
- Organization Unit (OU): Organizational Unit. This can be a doing business as (DBA) name, or the name of a department within the business. This may be left blank.
- Country (C): Two letter country code, such as "US", "CA", or "AU".
- State/Province (ST): State or province such as "Queensland" or "Wisconsin" or "Ontario." Do not abbreviate. Enter the full name.
- City of Locality (L): City name such as "Toronto" or "Brisbane." Do not abbreviate. For example, enter "Saint Louis" not "St. Louis"
Click "Generate CSR".
After the request has processed a new button will appear on the main page of Certificate Manager which allows you you download the CSR so you can submit it to a Certificate Authority.
You can then later reference this CSR/Private Key when you upload your certificate:
Change Certificate Validity period
You can change the value of the validity period (2 years by default).
Go to Advanced Settings menu and Certificate Manager partand enter a new value (in days). E.g: 2 years = 730 days.
Delete Self-Signed CA
You can delete the self signed certificate authority at any time by clicking the red button labeled "Delete Self-Signed CA".
A prompt will then come up warning you that all certificates that relied on this self signed certificate authority will be invalidated
Once you have deleted the self-signed CA you can then generate another one by clicking "New Certificate" then "Generate Self-Signed Certificate"
To manually import your certificates you need to drop the *.key and *.crt files into /etc/asterisk/keys. Then click the Import Locally button.
When this has finished your certificates will show up in the list of PBX certificates.
Setting a default certificate
Making a certificate the 'default' changes certificate settings in Advanced Settings ONLY. It will force said certificate to be the default for options in Advanced Settings that require certificates. It will also place a standard set of the certificate and it's key into /etc/asterisk/keys/integration for use by other applications
To select a certificate as the default move you mouse over the blank/empty column in the list of certificates. A grey checkmark will appear. Click that checkmark to make it the default
After this process has completed the checkmark will turn from grey to green and stick after you move your mouse away.
Using a certificate with System Admin
After you have added at least one certificate and activated your system you will be able to select that certificate as the default that system admin should use for the Apache webserver.
Go to System Admin then click "HTTPS Setup". Next hit the "settings" tab.
Select a certificate to use from the list of certificates provided by Certificate Manager:
Then click install. When the process has completed you will see your certificate detailed under "Apache Config"