How to use 3CX with SSL & FDN certificates from StartSSL
pixel500w-500x1
Zero Admin
With the new Dashboard
pixel500w-500x1
Bulletproof Security
With SSL certs and NGINX
pixel500w-500x1
Install on $100 Appliance
Intel MiniPC architecture
pixel500w-500x1
New, Intuitive Windows Client
More themes, more UC
pixel500w-500x1
More CRM Integrations
Scripting Interface to add your own
pixel500w-500x1
Improved Integrated Web Conferencing
iOS and Android apps included
pixel500w-500x1
Personal Click2Meet URLs

Obtaining your Own SSL & FQDN Certificate with StartSSL

Obtaining your Own SSL & FQDN Certificate with StartSSL

Introduction

StartSSL offers free SSL certificates. The downside of this is that the root CA is not implemented into any IP phone by default. Here is a brief overview on how to get yourself a StartSSL certificate.

Obtaining your Own SSL & FQDN Certificate with StartSSL

Introduction

Getting Started with StartSSL

Installation

Certificate and Key File

Combined PFX File

Fault Detection

Getting Started with StartSSL

Go to https://www.startssl.com/Account and sign up using a valid e-mail address.

  1. Once the StartSSL e-mail arrives in your inbox the authentication process begins. The fastest way is to let StartSSL generate a login certificate for you. Enter a password and keep a copy of it!

 

  1. Download the .p12 file, double-click to open it on your pc and follow the instructions of the import. Once requested to enter a password use the same one that you chose in step 1.

  1. Close all browser windows and re-login to StartSSL and start the “Validation Wizard.”

  1. Enter the domain in which 3CX will later be running.

  1. Select a mailbox for this domain, which is taken from the “Who Is” domain registration, or alternatively validate it via a web server.

  1. Take the Verification Code from the e-mail and enter it on StartSSL.

  1. The certification will now be valid for the next 90 days.

  1. Now start the “Certificates Wizard.”

  1. Now is the most tricky part. StartSSL needs a CSR which you need to generate and which will cover your external domain name. To simplify this process you can download the CSR generator and simply answer 3 questions; a custom private KEY and the CSR will be issued. Get the tool from here: CSR Generator
  2. Copy the content from the “Certificate.csr” file into the StartSSL text box and make sure that the “Domain Name” correctly reflects your external 3CX domain.

  1. And that’s it, the certificate is generated. Click here to download a zip file.

  1. Within that zip file, open the NfinxServer.zip and copy this file to the previously generated .csr and .key file.

  1. Place this in the folder with your CSR and KEY file from before and keep it safe.

  1. During 3CX installation, direct the PBX to the file path of the .crt file and after to the .key file.

Installation

The import of the certificate can be done via two options and is automatically detected by the installer based on the filename ending. It is the system administrator’s own obligation to get possession of the required files below from the chosen certificate authority.

Certificate and Key File

In case the installer detects the path to a filename ending in .cert or .pem, it expects the matching file path to the key in the next step. There is no strict definition on how the key file ending should be and it can range from .key to just a simple .txt. Validation should be done from before.

Certificate files commonly start with the file content of:

-----BEGIN CERTIFICATE-----

whereby key file content starts with the line of:

-----BEGIN PRIVATE KEY-----

Fault Detection

If after the installation the web management console does not load, check if any SSL errors can be seen in the nginx logs. In C:\Program Files\3CX Phone System\Bin\nginx\logs\error.log an emergency error will be generated if any mistake was made in the SSL import.

[emerg] 2568#896: PEM_read_bio_X509_AUX("C:\Program Files\3CX Phone System\Bin\nginx/conf/instance1/ol.eg.com-crt.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)


Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding
<