Change Yealink template to only accept trusted certificate

Discussion in 'Ideas' started by Redouane S, Dec 20, 2017.

  1. Redouane S

    Joined:
    Dec 12, 2017
    Messages:
    1
    Likes Received:
    0
    Change the default yealink template to accept only trusted certificate.

    We have a Gandi SSL certificate but it's not trusted by Yealink, So we have some problem to access remote phonebook and to provision phones over SBC. Even if we disable the option, it work for one day, then the phone goes to the server and take the configuration. We know that we can make a copy of the template, but to difficult to provision all the phones and enter information manually.

    Thanks
     
  2. Justin Goold

    Joined:
    Dec 23, 2017
    Messages:
    1
    Likes Received:
    1
    Hi,

    Yealink phones have a limited number of trusted root certs installed by default see pages 18/19/20 of
    the yealink Doc

    http://download.support.yealink.com... Certificates on Yealink IP Phones_V81_20.pdf

    There is not really anything 3cx can do about this as this is factory set by Yealink short of changing the default template to turn off the requirement trusted certs.


    We found a few ways round this limitation.

    1. Modify the phone template to disable the trusted cert setting. We did not like this as if the phone is reset we would require a reconfig from the web page and I don't like the idea of turning off any security setting so we did not pursue this.

    2. Import the Intermediate cert onto the handset (In our case the Intermediate Cert had one of the trusted root certs above it and therefore the cert on our 3cx server was trusted. The limitation with this if the handset is hard reset or a new handset you require access to the handsets web interface to re import the cert. I had a look at Gandi SSL and the trusted root for your cert is not on the Yealink trusted root list so this would not work for you. At a guess you would also have to import your root cert as well so when your 3cx system presents its cert it can reference this back through the intermediate cert to the root.

    3. This is the option we ended up with.
    Our cert's trusted root was on the preinstalled list from Yealink (Rapid SSL).
    When we setup the phone system we just used the cert exported from IIS which only had the cert in without the intermediate or root certs in and this was not trusted by the remote handsets.

    We installed the full cert chain on the 3cx server so that remote Yealink phones trusted out PBX straight out of the box and not had any problems provisioning since.

    In our case this was a process of exporting the cert from the certificates MMC snap in selecting the tick box for including the full chain to a PFX.
    see
    https://technet.microsoft.com/en-us/library/cc730988(v=ws.11).aspx

    Convert the PFX to the key and cer pem files the 3cx need.

    Hint use the commands
    pkcs12 -in domain.pfx -clcerts -nokeys -out domain-crt.pem
    pkcs12 -in domain.pfx -nocerts -nodes -out domain-key.pem

    Then substitute the certs in 3cx
    https://www.3cx.com/docs/renewing-ssl-certificate/

    Given that your cert's root is not not on Yealinks trusted root list then this would not work for you unless you get a new cert (you can do this as long as your 3cx keeps the same FQDN.

    It did take me a bit of time to work this out so the 3cx documentation on this could be better!
     
    Jeremy Bero likes this.
  3. us1

    us1

    Joined:
    Oct 19, 2015
    Messages:
    80
    Likes Received:
    21
    Switch to LetsEncrypt certificates. They're supported by Yealink and have the cost of zero.