HTTPS protocol required the certificate to authorized the Hostname/IP. Normally, we suggest you to apply for the certificate from a qualified certification authorities, but when you install the PBX on a local net with private IP address, you can create the SSL certificates manually to avoid the unsafe link prompt when you first log in to the PBX.
Note that the error prompt will not affect the SSL security actually.
Step 1. Download and install the XCA tool
We highly recommend you to download from XCA official website, but you can also download from this link http://www.yeastar.com/download/temp/setup_xca-1.3.2.exe
Step 2. Create a CA root certification use XCA tool
- Create a new databases
input a password for this Databases.
- Create the new CA certificate under the "Certificates" tag.
Attention: 1. Please choose SHA256 or above for "Signature algorithm", or browser will still prompt that too simple Signature Algorithm.
2. after all the setting on this page, please remember click the button "Apply all"
- Input the according information under the "Subject" tag.
press the "Generate a new key" ,leave all the default setting and press "Create" button.
after the CA certification creation, the page should look like below.
- Export the CA certificate
Attention: the export format for CA certificate should be PEM(*.crt)
Step 3. Create a server certificate use XCA tool
- Make a server certificate under the "Certificates" tag.
1. Please use ca certificate for signing,
2. Choose HTTPS_server as template for new certificate.
3. Remember to click "Apply all" when this tag setup.
- Edit the "Subject" tag.
The commonName should be the PBX's IP address or domain.
- Edit the "Extension" tag
Add the IP of PBX for X509v3 Subject Alternative Name and X509v3 Issuer Alternative Name under the "Extensions" tag.
- Export the server certificate
Attention: the export format for server certificate should be PEM + key (*.pem).
Step 4. Import the certificate to PBX
The path to import the certificate: Settings -> System -> Security -> Certificate
- Import ca root certificate, and choose the type as "Trusted Certificate"
- Import server certificate, and choose the type as "PBX Certificate"
- Apply the server certificate as "HTTPS Certificate"
Step 5. Install the CA certificate in computer
Import the certificate to the folder "Trusted Root Certification Authorities".
Step 6. Testing
- Login to the PBX to see if the IP/domain shows secured.
- Check the browser certification manager to see if the CA certificate has been imported.