Getting a Valid Certificate

From Vodia PBX Wiki
Jump to: navigation, search

Certificates are used in the system in two places. First, they are used to secure the traffic between the web browser and the web interface of the system. Second, they are used to secure the SIP traffic between the phone and the system’s signaling path.

The system by default generates a certificate, referred to as a self-signed certificate. While this provides a reasonable encryption of the traffic, it does not ensure that the client is really talking to the server. For example, it could also talk to a person in the middle that is just relaying the traffic. This essentially means that the traffic is not private any more, and since most Internet browsers are very strict regarding checking of certificates, the user must explicitly accept the untrusted certificate. Also, some IP phones do only accept SIP traffic on connections that have valid certificates. While the user of a web browser can just click and accept the certificate, a user of a phone usually does not have such a choice and the connection just fails.

Buying a Certificate

When you buy a certificate, it must be known that you are really the one who is operating a server. Although the mechanisms for this process differ, all services require that you pay for the service and that your web browser is already set up to trust the certificate authority. This mechanism is suitable if you are operating a public service where it is not an option to load root certificates on many clients. You usually also need to specify which IP addresses are using this certificate for the service.

Making Your Own Certificate

If you have control over the clients, you may also generate your own certificates. For example, you can join the community at http://cacert.org and generate them there. You will need to load the root certificate into the clients that should talk to the snom ONE system.

There are various other sites available which provide a similar service. You may also download the openSSL toolkit and compile your own certificate generator and set up your own trusted network. If you have already done this to secure your other office infrastructures (e.g., email or VPN), you can probably reuse the certificates for that.