How to configure secure SIP
Pre-Requisites
-
Download SimpleCA from:
http://users.skynet.be/ballet/joris/SimpleCA/SimpleCA-1.0.3-win32.zip
- Extract the contents of the SimpleCA ZIP file to “c:\openca”
Preparing Certificates and Keys for security
- Run SimpleCA – Since you are running this the first time, you will need to create a Root Certificate Authority, and SimpleCA will pop up the “Set Up Root CA” dialog
- Set up the Root Certificate Authority
a. Select your country (example: “Cyprus”)
b. Enter the “State or Province Name” (example: “Nicosia”)
c. Enter the “Locality Name” (example: “Nicosia”)
d. Enter the “Organization” (example: “3CX Ltd.”)
e. You may leave the “Organizational Unit” blank
f. Enter the “Common Name” (example: “3CX-CA”)
g. Enter the “Email Address” (example: “someone@3cx.com”)
h. Set a password – keep it safe
i. Click on the “Ok” button
-
Create a Server Certificate Request
a. Select Menu Item “Server Certificates -> New Certificate Request”
b. Select your country (example: “Cyprus”)
c. Enter the “State or Province Name” (example: “Nicosia”)
d. Enter the “Locality Name” (example: “Nicosia”)
e. Enter the “Organization” (example: “3CX Ltd.”)
f. Enter the “Organizational Unit” (example: “Telecommunications”)
g. Enter the “Common Name” (example: “pbx.3cx.com”)
h. Enter the “Email Address” (example: “someone@3cx.com”)
i. Click the “Ok” button – This will display the “Save” dialog
j. Save the Server Certificate Signing Request into “c:\openca\certificates”
-
Sign the Server Certificate Request
a. Select Menu item “Server Certificates -> Sign Certificate Request” – This will display the “Select CSR to sign” dialog
b. Select the Server Certificate Signing Request file which you saved previously in “c:\openca\certificates”
c. Click the “Open” button – This will display a dialog titled “Do you want to sign this request?”
d. Click the “Ok” button to sign the request
e. Enter the Root CA password and click the “Ok” button
Configure Certificates on the 3CX PhoneSystem machine
- Create a folder “C:\Program Files\3CX PhoneSystem\Bin\Cert”
-
Copy from folder “C:\openca\certificates\” the .CRT file to “c:\program files\3cx phonesystem\bin\cert”, and rename this .CRT file to “domain_cert_x.x.x.x.pem”, where x.x.x.x is LAN IP Address of PBX.
So for example if IP Address of PBX is 10.0.0.20, copy the file to “c:\program files\3cx phonesystem\bin\cert”, and rename it to “domain_cert_10.0.0.20.pem”.
PLEASE NOTE change of filename and extension
- Copy from folder “C:\openca\certificates\” the .KEY file to “c:\program files\3cx phonesystem\bin\cert”, and rename this .KEY file to “domain_key_x.x.x.x.pem”, where x.x.x.x is LAN IP Address of PBX.
So for example if IP Address of PBX is 10.0.0.20, copy the file to “c:\program files\3cx phonesystem\bin\cert”, and rename it to “domain_key_10.0.0.20.pem”. PLEA
-
Restart the “3CX PhoneSystem” service
Example: Configure a Snom Phone for Secure SIP
- Go to the Snom Phone’s web interface
- Go to the “Setup->Trusted Certificates” link
- Click the “Browse…” button
-
Select the file “c:\program files\3cx phonesystem\bin\cert\domain_cert_x.x.x.x.pem” file and click on “Add Certificate”
-
Go to the “Setup->Identity 1” link
-
In the “Account” field enter the Extension Number (Eg: “107”)
-
In the “Password” field enter the Authentication Password for the Extension (Eg: “pw107”)
-
in the “Registrar” field, enter the LAN IP Address of the 3CX PhoneSystem machine (Eg: “10.0.0.20”)
-
In the “Outbound Proxy” field, enter “x.x.x.x:5061;transport=tls”, where x.x.x.x is the LAN IP Address of the 3CX PhoneSystem machine (Eg: “10.0.0.20:5061;transport=tls”)
-
In the “Authentication Username” field, enter the Authentication ID for the Extension (Eg: “id107”)
-
Click the “Save” button at the bottom of the page.
-
Click the “Re-Register” button at the bottom of the page.
SIP Phone Configuration Guides 
|
