How to Use OpenSSL Tool to Generate Certificate Files for Yeastar P-Series TLS Extension Registration

Contents

  • Overview
  • Generate self-signed certificate files by OpenSSL tool and generate PEM files
  • TLS relevant settings on P-Series PBX and IP phone

Overview

Applicability

  • Model: P-Series
  • Firmware version: Any

In this article, we would introduce how to use the OpenSSL tool to generate certificate files for P-Series TLS extension registration and its relevant settings on P-Series PBX and an IP phone. We will use the OpenSSL tool on the Windows platform as an example. You can download it from the tool website: Free OpenSSL Tool. On Linux, it has a similar tool. So don't worry about the command. It's general.

Generate self-signed certificate files by OpenSSL tool and generate PEM files

If you already have the signed certificate files and required PEM files, you might skip this section. If you are new to this part, you can try to understand the relationship of the files by the following figure:

mceclip8.png

The SSL role is relative. In this article, the P-Series PBX would be the server, and the IP phone would be the client.

 

 

1. Generate CA certificate files to issue certificates files for P-Series and the IP phone.

Enter CMDL by the administrator.

mceclip0.png

Enter OpenSSL Tool path based on your installation.

C:\WINDOWS\system32>cd C:\Program Files\OpenSSL-Win64\bin
C:\Program Files\OpenSSL-Win64\bin>

 

1.1 Generate the CA key. Use the command in bold:

C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)

1.2 Generate the CA certificate. Use the command in bold:

Note: The red text means the field is recommended to be filled.

C:\Program Files\OpenSSL-Win64\bin>openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Yeastar
Email Address []:

 

2. Generate a private key and a signed certificate for P-Series.

2.1 Generate a private key for P-Series. Use the command in bold:

C:\Program Files\OpenSSL-Win64\bin>
C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out pbx.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
........+++++
.+++++
e is 65537 (0x010001)

2.2 Generate a CSR(Certificate Signing Request) file to get the signed certificate.

Use the command in bold:

Note: The Common Name should be the IP address or domain name of the device. As we test in a local network, so here is the IP address of PBX. If this procedure is for IP phone, use IP Phone IP address instead.

C:\Program Files\OpenSSL-Win64\bin>openssl req -new -key pbx.key -out pbx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.8.237
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ys123456
An optional company name []:

2.3 Use the CA certificate, CA key, CSR file, and private key to sign a certificate for P-Series.

C:\Program Files\OpenSSL-Win64\bin>openssl x509 -days 365 -CA ca.crt -CAkey ca.key -req -CAcreateserial -CAserial ca.srl -in pbx.csr -out pbx.crt
Signature ok
subject=C = CN, ST = FJ, L = XM, O = YS, CN = 192.168.8.237
Getting CA Private Key

2.4 Generate a PEM file for P-Series to use.

How to get the PEM file? It's easy, use a notepad tool to merge the PBX certificate and private key into a file. Save it as *.pem file. For example, save it as pbx.pem. Note that the certificate content should be on the top, then the private key.

mceclip2.png

 

3. Generate a private key and a signed certificate for the IP phone.

Do the same thing as step 2 to generate the certificate files for the IP phone.


C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out phone.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..............................+++++
.......................+++++
e is 65537 (0x010001)

C:\Program Files\OpenSSL-Win64\bin>openssl req -new -key phone.key -out phone.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.8.36
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ys123456
An optional company name []:

C:\Program Files\OpenSSL-Win64\bin>
C:\Program Files\OpenSSL-Win64\bin>openssl x509 -days 365 -CA ca.crt -CAkey ca.key -req -CAcreateserial -CAserial ca.srl -in phone.csr -out phone.crt
Signature ok
subject=C = CN, ST = FJ, L = XM, O = YS, CN = 192.168.8.36
Getting CA Private Key

C:\Program Files\OpenSSL-Win64\bin>

Finally, generally a PEM file for IP phone. For example, phone.pem.

TLS relevant settings on P-Series PBX and IP phone

TLS can be configured as single, double direction, or non-certificate authentication, you can try to refer to the following rules to understand it better.

 If PBX verifies IP phone (PBX acts as client role)
  • PBX needs CA certificate file - ca.crt.
  • IP Phone needs PEM file - phone.pem (IP phone certificate + IP phone private key).

If IP phone verifies PBX

(Phone acts as client role)

  • IP phone needs CA certificate file - ca.crt.
  • PBX needs PEM file - pbx.pem (PBX certificate + PBX private key).
If no party tries to verify

Certificate files are not required to upload.

 

1. TLS Settings on P-Series PBX

1.1 First upload certificate files.

  • Upload CA certificate as Trusted Certificate
  • Upload PBX PEM file as PBX Certificate

CA certificate file is necessary.

The PBX certificate (PEM file) is needed if need an IP phone to verify PBX.

mceclip0.png

1.2 TLS Settings.

This setting might be a little bit confused. See the recommendation:

1)IP Phone verifies PBX's certs

  • TLS Verify Client: If you need PBX send certs to IP phone to let IP phone verify, check this option. PBX's relative role is a server.
  • TLS Certificate: It is needed if need the IP phone to verify PBX. If no need, leave it none.

2) PBX's verifies IP Phone's certs 

  • TLS Verify Server: if you needs PBX to verify IP phone's certs, check this option.

3) TLS Connection Method: choose as needed.

mceclip3.png

1.3 Extension TLS Settings.

Switch the transport to TLS. This setting should be configured for the extension respectively.

mceclip4.png

 

2. TLS Settings on the IP phone.

Here we take a Yealink T33G as an example.

2.1 Account Settings

mceclip5.png

2.2 Trusted Certificates Settings.

See the comments in the following figure:

mceclip6.png

3. Server Certificates Settings.

See the comments in the following figure:

mceclip7.png

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.