Background
Generating certificates from internal CA’s, especially AD CS, can be confusing for FreePBX. In this guide we will generate an appropriate CSR, request the certificate, and apply it to our FreePBX.
Regarding SAN DNS Fields
Subject Alternative Name (SAN) DNS fields are critical components in SSL/TLS certificates, allowing multiple domain names to be associated with a single certificate. Modern browsers have shifted towards mandating the use of SAN fields due to their flexibility and security enhancements. Specifically, even if the domain name is listed in the Common Name (CN) field of a certificate, browsers expect it to be reiterated in the SAN field for validation. This ensures clearer and more robust domain verification, preventing potential ambiguities. For platforms like FreePBX, creating a certificate with a SAN DNS field aligns with these modern standards, ensuring broader compatibility and trustworthiness. Thus, leveraging SAN fields not only meets current browser expectations but also future-proofs the certificate for evolving security requirements.
Regarding SAN DNS Fields & VoIP Phones
There have been anecdotal mentions of issues related to SAN DNS fields in certificates when used with certain phone models. These concerns primarily revolve around older phones or those with outdated firmware that might not fully support or recognize the SAN fields. However, it’s important to note that these certificates are intended for the server side, not for the phones directly. Given this, potential compatibility issues may be even less likely. Nevertheless, most modern IP phones, which interact with secure servers, are designed to comply with up-to-date SSL/TLS standards, which include recognizing and validating SAN fields. To ensure a smooth experience, it’s advisable to test the certificate on a subset of phones, especially if you have a diverse range of models and firmware versions in use. By doing so, any potential incompatibilities can be identified and addressed proactively, ensuring seamless phone provisioning and continued secure communications.
Furthermore, the adoption of SAN fields in certificates is not a fleeting trend but a reflection of the evolving landscape of internet security. Major web services, platforms, and even financial institutions rely on SAN certificates for their flexibility and robustness. If the backbone of the global internet infrastructure trusts and leans on this technology, it speaks volumes about its reliability. Given this context, integrating a SAN certificate for your FreePBX server is not just advisable, but in line with best practices followed by the world’s top digital entities. This move aligns your system with the gold standard of digital communication security.
With that being said, let’s get generating!
Generating Your CSR
When logged into your FreePBX via SSH, or on any other OpenSSL compatible computer. Generate a CSR with a SAN DNS field.
openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr -addext "subjectAltName = DNS:my.fqdn.com"There are more elegant ways to combine everything into one command but this will get you started.
- Replace the fields in the command for your own file names if needed
- Replace the subjectAltName field with the FQDN of the server. (e.g. – myserver.mydomain.com)
- Make sure when you fill out the request the common name is also the FQDN and match your subjectAltName (e.g. – myserver.mydomain.com)
You will now have a CSR file and a Key.
Requesting Your Certificate Through AD
Use your method of choice to submit a certificate request to your AD certificate server. In this case will be using the IIS CertSrv website.
- Request a certificate.
- Advanced Certificate Request
- Choose web server template (or one you have made for this purpose) and paste the CSR you generated earlier.
- This should approve (or you should know how to get it approved)
- Download in Base64 encoded.
We now have the following certificate parts.
- Private Key from Request.
- CSR (no longer needed).
- Certificated we signed.
Installing The Certificate To FreePBX
- In FreePBX, navigate to Admin > Certificate Management
- New Certificate > Upload Certificate
- Fill out the name and description fields. The name is what FreePBX uses in its menus.
- CSR Reference will be NONE.
- Private Key = The .key file you generated in your OpenSSL Request.
- Certificate = The text from the .cer file you generated from AD CS.
- Trusted Chain = Your AD CS Trusted Root certificate, or trusted certificate chain.
- When you are done choose Generate Certificate!
Applying To FreePBX.
- Choose your newly made certificate as default in Certificate Management.
- Navigate to Admin > System Admin (Requires System Admin Pro)
- Choose HTTPS Setup (Requires System Admin Pro)
- Choose the Settings Tab.
- Choose your newly uploaded certificate from the drop down.
- Choose Install Certificate
Now when you refresh your page you should be greeted with your new certificate. Make sure you are connecting to the server through its FQDN, and that your certificate chain is correct. If all goes well you should get green locks everywhere!
