How to Configure Secure SIP – TLS
On this topic
NOTE: This document is obsolete as of Version 15.5 SP3 (including hotfix).
This is a complete guide that will provide detailed information on how to:
- Setup 3CX Phone System with Secure SIP (TLS). In this way, the SIP messaging will be encrypted and therefore more secure.
- Create certificates with Simple CA.
- Use Microsoft’s inbuilt importer for trusted certificates.
- Configure IP phones to communicate SIP securely. We’ll be using 3CX app for Windows, Eyebeam, and snom phones.
- Download SimpleCA from here.
- Extract the contents of the SimpleCA zip file to “C:\SimpleCA\” Note: due to known issues with this software, it is recommended that this program runs from the root directory – in this case, the c:\ drive.
- Make sure that the time and date on the server are correct, so check time and regional settings in your Control Panel before proceeding. The certification process has a time dependency, therefore the correct time settings need to be set.
Configuring 3CX Phone System with TLS
Part 1 – Preparing Certificates and Keys for Security
- Run SimpleCA – Since you are running this for the first time, you will need to create a Root Certificate Authority, and Simple CA will pop up the “Set Up Root CA” dialog
- The most important field for our configuration is the “Common Name”. Set the Common Name to 3CXPHONE and click OK.
- A ca.crt file in “C:\SimpleCA” will be created. This is the Root CA, and it will be required by any TLS client (softphone or hard phone) to be able to establish a TLS connection to the specified PBX. Create a copy of this file and rename it to “root_cert_3CXPHONE.pem”. Keep this file handy for further use. This will be used for the 3CX app for Windows and is described later on..
Part 2 – Create the 3CX Phone System Server Certificate
- Click on the “Server Certificates” menu and choose “New Server Certificate Request”. You are about to create a certificate which will be installed later on the specified 3CX Phone System to validate TLS requests coming to a specific network interface.
- Set the field Common Name to the IP address on which 3CX Phone System will listen for incoming TLS connection requests. Once done, click OK. You will be prompted to save this (unsigned) certificate.
- Signing a Server Certificate. Click on “Server Certificates” menu and choose “Sign Server Certificate Request”. This will prompt you to select the desired certificate to be signed – select the one you just created. After that, SimpleCA will display as “read-only” the certificate information, asking you to confirm signing.
- Security Confirmation – You will be prompted to enter the same password you used when you created the Root CA. Enter a password then click OK. Simple CA will generate a pair of files, the signed certificate (with .cer extension) and its decryption key (with .key extension).
- Locating Security Files. Open “C:\SimpleCA\certificates”. The files which we are interested in are the (.crt) and (.key). These are the files we are going to need in the next step.
- Generating 3CX IP PBX Certification. Open the 3CX Management Console and click on the Settings/Advanced section and click on the security tab. Open the .crt file with a text editor. Select all the content and copy & paste it into the “Certificate” column text box. Open the .key file with a text editor, select all the content and copy & paste into the “Key” field section. Click the Enable Secure SIP button, followed by Apply and OK. Note: If your 3CX Phone System machine has more than one network card: The interface IP address used to generate the certificates must match the interface selected in the Security tab. Select Interface field so traffic is secured on the proper interface.
- Restart 3CX Phone System by clicking on “Services Status” section, and restart the 3CX Phone System service. At this point, 3CX Phone System is configured and ready to accept incoming TLS connection.
Configuring IP Phones with TLS
Configuring the 3CX app for Windows with Secure SiP
- In the 3CX app for Windows settings, create and register a normal connection to the PBX.
- Right click on 3CX app for Windows, click on Accounts, and double click on the account you want to enable secure SIP on. In the “My Location” section, enter the IP address of the 3CX Phone System machine, followed by the TLS port, for example 10.172.0.15:5061
- Click on “Advanced Settings”. Change SIP transport to TLS.
- Click on Certificates and Import. You’ll need to import the following file “root_cert_3CXPHONE.pem”. This is the file you created in Part 1, step 2. A message box will appear that the certificate has been imported. Press OK and 3CX app for Windows will reconnect this time using TLS.
Configuring Yealink Phones to use TLS
- Open Yealink’s Web interface
- Go to “Security > Trusted Certificates”. Click the “Browse” button and upload the client certificate root_cert_3CXPHONE.pem
- Go to the Account link and in the Label, Display Name and Username field, enter the Extension Number (E.g.: 163). In the Register Name field, enter the Authentication ID (E.g. id163). In the Password field, enter the Authentication Password for the Extension (e.g.: pw163) and in the SIP Server field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20. Now set the Port to 5061. Set the Transport to TLS. Press Confirm at the bottom of the page.
- If you are using Firmware x.71.x.x then you also need to go to the “Security” tab, select “Trusted Certificates” from the menu on the left, and at the CA Certificates field select “All Certificates” from the drop down list. Press “Confirm” at the bottom of the page. The Yealink phone will reboot and register to 3CX Phone System and will use TLS transport for SIP communications.
Configuring snom Phones to use TLS
- Open the snom phone’s web interface.
- Go to “Setup > Trusted Certificates”. Click the “Browse” button and upload the client certificate root_cert_3CXPHONE.pem
- Go to the Setup >Identity 1 link and in the “Account” field enter the Extension Number (E.g.: 107). In the Password field, enter the Authentication Password for the Extension (Eg: 107) and in the Registrar field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20
- In the Outbound Proxy field, enter x.x.x.x:5061;transport=tls, where x.x.x.x is the IP address of the 3CX Phone System machine (E.g.: 192.168.1.20:5061;transport=tls)
- In the Authentication Username field, enter the Authentication ID for the Extension (E.g.: 107)
- Click the Save button at the bottom of the page. Click the Re-Register button at the bottom of the page. The snom phone is now registered to 3CX Phone System and will use TLS transport for SIP communications.
Configuring IP Phones with Secure RTP
Configuring Yealink Phones to Use Secure RTP
- Open Yealink’s Web interface.
- Go to “Account > Advanced”: Set the Option Voice Encryption (SRTP) to “ON”.
- Press “Confirm” at the bottom of the Page. The Yealink phone will now use Secure RTP.
Configuring snom Phones to Use Secure RTP
- Open snom Phone’s web interface.
- Go to “Setup >Identity 1” link and click on”RTP”: Set the Option RTP Encryption to “ON”.
- Press “Save”. The snom phone will now use Secure RTP.
Configuring the 3CX app to Use Secure RTP
- Go to the 3CX app for Window’s Account Page.
- Select the Account you require and press “Edit”.
- Click on “Advanced Settings” and Set RTP Mode to: “Allow Secure”. This will allow Secure RTP and Non Secure RTP, or Only Secure. This will ONLY allow Secure RTP Connections.
- Press “OK” until you get to the VoIP phone main screen. The 3CX app for Windows will now use Secure RTP.