How to Configure TLS on Yeastar S-Series VoIP PBX

Introduction

Yeastar S-Series VoIP PBX supports TLS protocol. You can set up Yeastar S-Series VoIP PBX with Secure SIP (TLS) to secure the SIP messaging.

This article provides instructions on how to configure TLS on Yeastar IPPBX and how to register a TLS extension. We tested with:

  • Yeastar S100: firmware version 30.3.0.17; IP address: 192.168.4.142
  • Yealink T46G: firmware version 28.80.0.95; IP address: 192.168.6.113

Preparing TLS Certificates and Keys

To make TLS certificates and keys, you need to use a tool that supports SSL and TLS protocols. We recommend you to use OpenSSL on Linux. The OpenSSL software is available for free online: http://www.openssl.org/source/.

Blow we give instructions on how to make certificates and keys on Windows. Download the tool here

Extract the file TLS_CA_Tool.zip, and check the included files as the following figure shows.

1.png

Before getting started, we will create a new folder to place certificates and keys for S100 IPPBX and IP phone.

2.png

 

Preparing Certificates and Keys for S100

Step 1. Prepare S100’s CA key: ca.crt.

  1. Double click ca.bat file, set a password for the ca key.3.png
  2. Press Enter and input each information for S100 step by step. The most important field is Common Name. Set the Common Name0 to the IP address of S100.
  3. Set a challenge password.
  4. Enter the password of the ca key.
  5. Press any key to exit.4.png
  6. You will see a ca.crt file and a ca folder created automatically in the folder /TLS_CA_Tool.5.png

Note: you can find another ca.crt in the folder /TLS_CA_Tool/ca/trusted/, these two files are the same.

Step 2. Prepare S100’s server certificate: asterisk.pem.

  1. Double click server.bat.
  2. Enter the same information as you set in the S100’s ca.crt file.
  3. Enter y to confirm “Sign the certification”.
  4. Enter y to commit certification.
  5. Press any key to exit.7.png
  6. You will see asterisk.pem file in the folder /TLS_CA_Tool.
  7. Copy and paste the ca.crt and asterisk.pem files to the folder /Certificates/PBX in case the ca key will be rewritten in later steps.8.png

Preparing Certificates and Keys for Yealink Phone

Step 1. Prepare IP phone’s CA key: ca.crt.

  1. Double click ca.bat file, set a password for the ca key.
  2. Press Enter and input each information for the IP phone step by step. The most important field is Common Name. Set the Common Name0 to the IP address of the IP phone.
  3. Set a challenge password.
  4. Enter the password of the ca key.
  5. Press any key to exit.10.png
  6. You will see a ca.crt file and a ca folder created automatically in the folder /TLS_CA_Tool.

Note: you can find another ca.crt in the folder /TLS_CA_Tool/ca/trusted/, these two files are the same.

Step 2. Prepare IP phone’s certificate: client.pem.

  1. Double click client.bat.
  2. Enter the same information as you set in the IP phone’s ca.crt file.
  3. Enter y to confirm “Sign the certification”.
  4. Enter y to commit certification.
  5. Press any key to exit.13.png
  6. You will see client.pem file in the folder /TLS_CA_Tool.
  7. Copy and paste the crt and client.pem files to the folder /Certificate/Phone.14.png

Configuring S100 with TLS

Step 1. Upload the trusted certificate.

  1. Log in S100 web user interface, navigate to Settings > System > Security > Certificate.
  2. Click Upload, choose type as Trusted Certificate.
  3. Click Browse, choose IP phone’s ca.crt, then click Upload.

Step 2. Upload the PBX certificate.

  1. Click Upload, choose type as PBX Certificate.
  2. Click Browse, choose PBX’s asterisk.pem, then click Upload.
  3. Click Yes on the pop-up window to reboot the PBX.

Step 3. Enable TLS on S100.

  1. Navigate to Settings > PBX > General > PBX > TLS.
  2. Check the checkbox of Enable TLS.
  3. Select the asterisk.pem certificate.
  4. Check the checkbox of TLS Verify Client. S100 will verify IP phone’s certificate, the common name inside CA should be the same as its IP or domain name.
  5. Select the TLS client method.
  6. Click Save and click Yes on the pop-up window to reboot the PBX.15.png

Step 4. Set up a TLS extension.

Go to Settings > PBX > Extensions, choose an extension and edit it, set the transport as TLS.

16.png

Configuring Yealink T46G with TLS

Step 1. Upload the trusted certificate.

  1. Log in Yealink web interface, navigate to Security > Trusted Certificates.
  2. Click Choose File, choose S100 PBX’s ca.crt.
  3. Click Upload, you will see the uploaded certificate on the page.17.png

Step 2. Upload the server certificate.

  1. Navigate to Security > Server Certificates.
  2. Click Choose File, choose IP phone’s client.pem.
  3. Click Upload, you will see the uploaded certificate on the page.
  4. Set Device Certificates to Custom Certificates.
  5. Click Confirm.18.png

 Step 3. Register the TLS extension.

  1. Fill in the extension details.
  2. Choose transport as TLS.
  3. Set server port to 5061.
  4. Click Confirm and check the extension status.19.png

 

 

 

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.