The Certificate Management module is used to manage certificates on your FreePBX server.
On first login to your PBX a default self-signed certificate will have been created for you.
To add a new certificate click this button and select from one of the three drop downs.
Let's Encrypt Certificates are completely 100% free certificates that are generated via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. Your PBX implements this same automated process.
This process requires port 80 access to your PBX from outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org and mirror2.freepbx.org. Using System Admin, Port Management, configure either the Admin interface or UCP to respond on port 80.
If you have the Commercial (Full) Sysadmin module, you can specify that a 'LetsEncrypt Only' service listens on port 80. See the Port Management page for more information.
There are several required options to generate a Let's Encrypt Certificate
Once you are finished click "Generate Certificate". Your certificate will be added and will be automatically update approximately every 2 months
In order to view the certs to copy, you must open the TLS files using a plain text editor, and not necessarily the default application configured on the workstation.
Once you are finished click "Upload Certificate".
Self Signed Certificates are not recommended as many browsers outright reject these certificates, they can, however, be useful for internal testing
Your PBX also generates a self signed certificate on first boot
If you have previously deleted the self-signed CA when you go to create a new self-signed certificate your screen will look like this:
Otherwise the New Certificate screen will look like this:
Once you are finished click "Generate Certificate".
You can generate a CSR from your PBX to be used for the process of obtaining certificates from valid certificate authorities online
Click "Generate CSR".
After the request has processed a new button will appear on the main page of Certificate Manager which allows you you download the CSR so you can submit it to a Certificate Authority.
You can then later reference this CSR/Private Key when you upload your certificate:
You can delete the self signed certificate authority at any time by clicking the red button labeled "Delete Self-Signed CA".
A prompt will then come up warning you that all certificates that relied on this self signed certificate authority will be invalidated
Once you have deleted the self-signed CA you can then generate another one by clicking "New Certificate" then "Generate Self-Signed Certificate"
To manually import your certificates you need to drop the *.key and *.crt files into /etc/asterisk/keys. Then click the Import Locally button.
When this has finished your certificates will show up in the list of PBX certificates.
Making a certificate the 'default' changes certificate settings in Advanced Settings ONLY. It will force said certificate to be the default for options in Advanced Settings that require certificates. It will also place a standard set of the certificate and it's key into /etc/asterisk/keys/integration for use by other applications
To select a certificate as the default move you mouse over the blank/empty column in the list of certificates. A grey checkmark will appear. Click that checkmark to make it the default
After this process has completed the checkmark will turn from grey to green and stick after you move your mouse away.
After you have added at least one certificate and activated your system you will be able to select that certificate as the default that system admin should use for the Apache webserver.
Go to System Admin then click "HTTPS Setup". Next hit the "settings" tab.
Select a certificate to use from the list of certificates provided by Certificate Manager:
Then click install. When the process has completed you will see your certificate detailed under "Apache Config"