Overview

The Certificate Management module is used to manage certificates on your FreePBX server.

Logging In

On first login to your PBX a default self-signed certificate will have been created for you.

New Certificate

To add a new certificate click this button and select from one of the three drop downs.

Generate Let's Encrypt Certificate

Let's Encrypt Certificates are completely 100% free certificates that are generated via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. Your PBX implements this same automated process.

This process requires port 80 access to your PBX from outbound1.letsencrypt.org, outbound2.letsencrypt.org, mirror1.freepbx.org and mirror2.freepbx.org. Using System Admin, Port Management, configure either the Admin interface or UCP to respond on port 80.


If you have the Commercial (Full) Sysadmin module, you can specify that a 'LetsEncrypt Only' service listens on port 80. See the Port Management page for more information.


There are several required options to generate a Let's Encrypt Certificate

Once you are finished click "Generate Certificate". Your certificate will be added and will be automatically update approximately every 2 months

Upload Certificate

In order to view the certs to copy, you must open the TLS files using a plain text editor, and not necessarily the default application configured on the workstation.


Once you are finished click "Upload Certificate".

Generate Self-Signed Certificate

Self Signed Certificates are not recommended as many browsers outright reject these certificates, they can, however, be useful for internal testing

Your PBX also generates a self signed certificate on first boot

If you have previously deleted the self-signed CA when you go to create a new self-signed certificate your screen will look like this:

Otherwise the New Certificate screen will look like this:

Once you are finished click "Generate Certificate".

 

Generate CSR (Certificate Signing Request)

You can generate a CSR from your PBX to be used for the process of obtaining certificates from valid certificate authorities online

Click "Generate CSR".

After the request has processed a new button will appear on the main page of Certificate Manager which allows you you download the CSR so you can submit it to a Certificate Authority.

You can then later reference this CSR/Private Key when you upload your certificate:

Change Certificate Validity period

You can change the value of the validity period (2 years by default).
Go to Advanced Settings menu and Certificate Manager partand enter a new value (in days). E.g: 2 years = 730 days.

Do it before generate any certificates.

Delete Self-Signed CA

You can delete the self signed certificate authority at any time by clicking the red button labeled "Delete Self-Signed CA".

A prompt will then come up warning you that all certificates that relied on this self signed certificate authority will be invalidated

Once you have deleted the self-signed CA you can then generate another one by clicking "New Certificate" then "Generate Self-Signed Certificate" 

Import Locally

To manually import your certificates you need to drop the *.key and *.crt files into /etc/asterisk/keys. Then click the Import Locally button.

When this has finished your certificates will show up in the list of PBX certificates.

Setting a default certificate

Making a certificate the 'default' changes certificate settings in Advanced Settings ONLY. It will force said certificate to be the default for options in Advanced Settings that require certificates. It will also place a standard set of the certificate and it's key into /etc/asterisk/keys/integration for use by other applications

To select a certificate as the default move you mouse over the blank/empty column in the list of certificates. A grey checkmark will appear. Click that checkmark to make it the default

After this process has completed the checkmark will turn from grey to green and stick after you move your mouse away.

Using a certificate with System Admin

After you have added at least one certificate and activated your system you will be able to select that certificate as the default that system admin should use for the Apache webserver.

Go to System Admin then click "HTTPS Setup". Next hit the "settings" tab.

Select a certificate to use from the list of certificates provided by Certificate Manager:

Then click install. When the process has completed you will see your certificate detailed under "Apache Config"