How to Configure Secure SIP – TLS

This is a complete guide that will provide detailed information on how to:Configuring SIP with 3CX Phone System

  1. Setup 3CX Phone System with Secure SIP (TLS). In this way, the SIP messaging will be encrypted and therefore more secure.
  2. Create certificates with Simple CA.
  3. Use Microsoft’s inbuilt importer for trusted certificates.
  4. Configure IP phones to communicate SIP securely. We’ll be using 3CXPhone for Windows, Eyebeam, and snom phones.

Prerequisites

  • Download SimpleCA from here.
  • Extract the contents of the SimpleCA zip file to “C:\SimpleCA\” Note: due to known issues with this software, it is recommended that this program runs from the root directory – in this case, the c:\ drive.
  • Make sure that the time and date on the server are correct, so check time and regional settings in your Control Panel before proceeding. The certification process has a time dependency, therefore the correct time settings need to be set.

Configuring 3CX Phone System with TLS

Part 1 – Preparing Certificates and Keys for Security

  1. Run SimpleCA – Since you are running this for the first time, you will need to create a Root Certificate Authority, and Simple CA will pop up the “Set Up Root CA” dialog
  2. The most important field for our configuration is the “Common Name”. Set the Common Name to 3CXPHONE and click OK.
  3. A ca.crt file in “C:\SimpleCA” will be created. This is the Root CA, and it will be required by any TLS client (softphone or hard phone) to be able to establish a TLS connection to the specified PBX. Create a copy of this file and rename it to “root_cert_3CXPHONE.pem”. Keep this file handy for further use. This will be used for 3CXPhone for Windows and is described later on..

Part 2 – Create the 3CX Phone System Server Certificate:

  1. Click on the “Server Certificates” menu and choose “New Server Certificate Request”. You are about to create a certificate which will be installed later on the specified 3CX Phone System to validate TLS requests coming to a specific network interface.
  2. Set the field Common Name to the IP address on which 3CX Phone System will listen for incoming TLS connection requests. Once done, click OK. You will be prompted to save this (unsigned) certificate.
  3. Signing a Server Certificate. Click on “Server Certificates” menu and choose “Sign Server Certificate Request”. This will prompt you to select the desired certificate to be signed – select the one you just created. After that, SimpleCA will display as “read-only” the certificate information, asking you to confirm signing.
  4. Security Confirmation – You will be prompted to enter the same password you used when you created the Root CA. Enter a password then click OK. Simple CA will generate a pair of files, the signed certificate (with .cer extension) and its decryption key (with .key extension).
  5. Locating Security Files. Open “C:\SimpleCA\certificates”. The files which we are interested in are the (.crt) and (.key). These are the files we are going to need in the next step.
  6. Generating 3CX IP PBX Certification. Open the 3CX Management Console and click on the Settings/Advanced section and click on the security tab. Open the .crt file with a text editor. Select all the content and copy & paste it into the “Certificate” column text box. Open the .key file with a text editor, select all the content and copy & paste into the “Key” field section. Click the Enable Secure SIP button, followed by Apply and OK. Note: If your 3CX Phone System machine has more than one network card: The interface IP address used to generate the certificates must match the interface selected in the Security tab. Select Interface field so traffic is secured on the proper interface.
  7. Restart 3CX Phone System by clicking on “Services Status” section, and restart the 3CX Phone System service. At this point, 3CX Phone System is configured and ready to accept incoming TLS connection.

Configuring IP Phones with TLS

Configuring 3CXPhone for Windows with Secure SiP

  1. In the 3CXPhone for Windows settings, create and register a normal connection to the PBX.
  2. Right click on 3CXPhone for Windows, click on Accounts, and double click on the account you want to enable secure SIP on. In the “My Location” section, enter the IP address of the 3CX Phone System machine, followed by the TLS port, for example 10.172.0.15:5061
    Configuring TLS Port setting in 3CX MyPhone
  3. Click on “Advanced Settings”. Change SIP transport to TLS.
    Selecting TLS Transport in 3CX MyPhone
  4. Click on Certificates and Import. You’ll need to import the following file “root_cert_3CXPHONE.pem”. This is the file you created in Part 1, step 2. A message box will appear that the certificate has been imported. Press OK and 3CXPhone for Windows will reconnect this time using TLS.
    Import Certificate in 3CX MyPhone

Configuring Yealink Phones to use TLS

  1. Open Yealink’s Web interface
  2. Go to Security > Trusted Certificates. Click the Browse button and upload the client certificate root_cert_3CXPHONE.pem
  3. Go to the Account link and in the Label, Display Name and User Name field, enter the Extension Number (E.g.: 163). In the Register Name field, enter the Authentication ID (E.g. id163). In the Password field, enter the Authentication Password for the Extension (e.g.: pw163) and in the SIP Server field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20. Now set the Port to 5061. Set the Transport to TLS. Press Confirm at the bottom of the page.
  4. If you are using Firmware x.71.x.x then you also need to go to the “Security” tab, select “Trusted Certificates” from the menu on the left, and at the CA Certificates field select “All Certificates” from the drop down list. Press “Confirm” at the bottom of the page. The Yealink phone will reboot and register to 3CX Phone System and will use TLS transport for SIP communications.

Configuring snom Phones to use TLS

  1. Open the snom phone’s web interface.
  2. Go to Setup > Trusted Certificates. Click the “Browse” button and upload the client certificate root_cert_3CXPHONE.pem
  3. Go to the Setup >Identity 1 link and in the “Account” field enter the Extension Number (E.g.: 107). In the Password field, enter the Authentication Password for the Extension (Eg: 107) and in the Registrar field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20
  4. In the Outbound Proxy field, enter x.x.x.x:5061;transport=tls, where x.x.x.x is the IP address of the 3CX Phone System machine (E.g.: 192.168.1.20:5061;transport=tls)
  5. In the Authentication Username field, enter the Authentication ID for the Extension (E.g.: 107)
  6. Click the Save button at the bottom of the page. Click the Re-Register button at the bottom of the page. The snom phone is now registered to 3CX Phone System and will use TLS transport for SIP communications.

Configuring IP Phones with Secure RTP

Configuring Yealink Phones to Use Secure RTP

  1. Open Yealink’s Web interface.
  2. Go to Account > Advanced: Set the Option Voice Encryption (SRTP) to ON.
  3. Press Confirm at the bottom of the Page. The Yealink phone will now use Secure RTP.

Configuring snom Phones to Use Secure RTP

  1. Open snom Phone’s web interface.
  2. Go to Setup >Identity 1 link and click on RTP: Set the Option RTP Encryption to ON.
  3. Press Save. The snom phone will now use Secure RTP.

Configuring 3CX Phone to Use Secure RTP

  1. Go to the 3CXPhone for Window’s Account Page.
  2. Select the Account you require and press Edit.
  3. Click on Advanced Settings and Set RTP Mode to: Allow Secure. This will allow Secure RTP and Non Secure RTP, or Only Secure. This will ONLY allow Secure RTP Connections.
  4. Press OK until you get to the VoIP phone main screen. 3CXPhone for Windows will now use Secure RTP.
  1. Pingback: 3CX VoIP blog » Configuring Extensions

  2. Frank

    Grate tutorial. Do you know how should install the client certificate on a Cisco SPA 504g ?

    March 5, 2010 at 3:20 pm
  3. We are planning to make a blog post on this soon. However it is not something you can do out of the box. It seems that you need an application to do this, you generate some files which you send to cisco and based on these files they will send you back a certificate file.

    March 5, 2010 at 3:24 pm