• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

TIP: Server Certificate for 3CX TLS

Status
Not open for further replies.

Bob Denny

Customer
Joined
Feb 21, 2009
Messages
187
Reaction score
16
After searching the forum here, I saw that someone said that the common name (CN) field in the server certificate (used at the 3CX server end) must be set to the IP address of the 3CX "proxy". I didn't want to hardwire the cert to an IP... what if your IP addresses change (as mine did in a network reorg recently)? You would have to throw away that cert and pay for another, or re-gen it if you're using self-signed certs.

Turns out that the CN field can be (and probably should be) the domain name of your 3CX switch (e.g. "sip.xyz.com"), at least when using various softphones that support TLS. The only reason for using a cert that's hard-bound to an IP address is if your TLS-capable SIP phones can't be set up with a domain name for the proxy or don't use the domain name for TLS initiation.

You still need to name the cert files domain_cert_nn.nn.nn.nn.pem and domain_key_nn.nn.nn.nn.pem because 3CX does not do a reverse lookup on its own IP address to get its domain name (understandable because REV records are often wrong, and maybe the SRV records override, etc.). So if your IP changes, you have to change those file names, but at least you don't have to get/gen a whole 'nother cert!
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,632
Messages
748,963
Members
144,749
Latest member
leo13215464
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.