NOTE: The following details will still work, but a web-interface has been created to simplify this process since the document below was written. The new interface is accessed from the system - certificates page.
0- Introduction (obsolete)
HTTPS is enabled by default on the PBX interface, but this uses a self signed certificate which is regenerated each time the PBX reboots. This is somewhat helpful to increase the security of things like the admin password which will no-longer be sent in the clear over the LAN on an HTTPS session, but will cause the browser to generate a warning each time the PBX is accessed, and does not verify the authenticity of the PBX.
If you wish to use SSL extensively then it is normal to apply a certificate signed by a public CA to the PBX. In order to do this, you should first turn off automatic regeneration of certificates at reboot, by adjusting the setting in system - global - advanced to check “Prevent HTTPS certificate being regenerated each reboot”
You will then need to login to the PBX at a root prompt by SSH and perform the following steps. Please complete these carefully, and preferably whilst you are onsite with console access as it is possible to prevent the HTTP server process re-starting on the PBX if there are any errors and this will lock you out of web access:
1- Generate a new 2048 bit private key
Generating RSA private key, 2048 bit long modulus
............+++
........+++
e is 65537 (0x10001)
root@pabx:~# chmod og= /etc/ssl/private/NEWapache-pabx.key```
**2- Generate a certificate signing request (CSR)**
Note that the data you enter into the fields below may depend on the requirements of the Certificate Authority, the following is an example only, please check your CA documentation for the CSR data they require and enter the actual data for the organisation applying for the certificate:
```root@pabx:~# openssl req -new -sha256 -key /etc/ssl/private/NEWapache-pabx.key >/etc/ssl/NEWapache-pabx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Borsetshire
Locality Name (eg, city) []:Holby
Organization Name (eg, company) Internet Widgits Pty Ltd]:Acme Telephone and Spacedust Ltd
Organizational Unit Name (eg, section) []:The PBX
Common Name (eg, YOUR name) []:pbx.fully.qualified.hostname.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@pabx:~# cat /etc/ssl/NEWapache-pabx.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICvTCCAaUCAQAweDELMAkGA1UEBhMCR0IxGDAWBgNVBAgTD0J1Y2tpbmdoYW1z
...
aUgCPrPUrvzWOvrAId6SKvxAQtsUMy5hwAJAdMi9Qcjk
-----END CERTIFICATE REQUEST-----```
Paste the above CSR into the CA request form
**3- Install the certificate**
When you receive the certificate from the CA, backup the existing files as follows:
```root@pabx:~# mv /etc/ssl/private/apache-pabx.key /etc/ssl/private/OLDapache-pabx.key
root@pabx:~# mv /etc/ssl/certs/apache-pabx.crt /etc/ssl/certs/OLDapache-pabx.crt```
and then install the new key and certificate by pasting the received certificate file (terminate the pasted input by pressing Ctrl-D):
```root@pabx:~# mv /etc/ssl/private/NEWapache-pabx.key /etc/ssl/private/apache-pabx.key
root@pabx:~# cat >/etc/ssl/certs/apache-pabx.crt
-----BEGIN CERTIFICATE-----
MIIDPzCCAicCCQCYUL6nKNUfkjANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
...
8phFiBPprE/LVBC5hSX9GGI6O1c2L6FvJU6UiG1eWgnd0tXT/L/EoEvB+XxLR51t
86uJY4yZf95qMV7ZsPH4GRYjOQ==
-----END CERTIFICATE-----
^D```
If your certificate provider supplies you with both an identity certificate and one or more intermediate certificates then you should paste all of these certificates one after another into the above CRT file, preserving the BEGIN CERTIFICATE and END CERTIFICATE lines for each, but ensuring that there is otherwise no additional white space or other characters pasted into the file.
On completion of the above, it will be necessary to reboot the PBX in order to start connecting securely. If you wish to test the certificate without rebooting then you can do so by issuing the following command at the root prompt:
```root@pabx:~# /etc/init.d/apache2 restart```
A full reboot is however still required for all aspects of the PBX (including the API) to start using the new certificate.