Manage TLS certificates on the PBX

Background information

With TLS protocol enabled on the PBX, a TLS certificate may be required in the following situations:

When the PBX acts as a server, a server certificate is required.
If the PBX requires to verify TLS client (PBX Settings > SIP Settings > TLS > TLS Verify Client), you need to upload a client certificate to both PBX and TLS client, or the TLS connection would fail. For more information, see Upload a TLS client certificate.
When the PBX acts as a client, whether a client certificate is required depends on the server.
If the PBX requires to verify TLS server (PBX Settings > SIP Settings > TLS > TLS Verify Server), you need to upload or apply for a server certificate. For more information, see Upload a TLS server certificate or Apply for a TLS server certificate.

Procedure

Log in to PBX web portal, go to Security > Security Settings > Certificates, click Add.
A window pops up, which requires you to select certificate type and upload a certificate.

Note: You can ONLY upload or apply for 3 PBX certificates in total.
In the Certificate Type drop-down list, choose PBX Certificate.
Select Upload certificate file, and complete the following settings.
1. In the Please choose a certificate section, click Browse to select the desired certificate.
2. If you want the PBX to automatically renew the certificate, select the checkbox of Automatic certificate renewal, and provide the DNS provider information.
  Note: Only Let's Encrypt certificates can be automatically renewed. If the certificate is a non-Let's Encrypt certificate, the PBX will directly apply for a new Let's Encrypt certificate.
  - DNS Provider: Search and select your desired DNS provider from a list of LEGO's DNS providers.
  - Authentication Information: Add one or more required authentication parameters, and enter the corresponding value.
    Note: The authentication information varies for different DNS providers, you should confirm the specific parameter names before filling in.
Click Save.

Result

The certificate is uploaded successfully, and is displayed on Certificates list.
If you enable automatic certificate renewal, the system will automatically renew the certificate through the configured DNS provider 7 days before it expires.

You can directly apply for a TLS server certificate on the PBX.

Procedure

Log in to PBX web portal, go to Security > Security Settings > Certificates, click Add.
A window pops up, which requires you to select certificate type and upload a certificate.

Note: You can ONLY upload or apply for 3 PBX certificates in total.
In the Certificate Type drop-down list, choose PBX Certificate.
Select Apply for certificate, and complete the following settings.
- Issued To:: Enter the domain name for which you want to apply for the certificate.
- DNS Provider: Search and select your desired DNS provider from a list of LEGO's DNS providers.
- Authentication Information: Add one or more required authentication parameters, and enter the corresponding value.
  Note: The authentication information varies for different DNS providers, you should confirm the specific parameter names before filling in.
Click Save.

Result

PBX will request a domain certificate from Let's Encrypt through the configured DNS provider. The obtained certificate files are named after the domain name.
If the certificate is applied successfully, the Application status displays "-".

Prerequisites: You have prepared a client certificate in .cer or .crt format.

Procedure

Log in to PBX web portal, go to Security > Security Settings > Certificates, click Add.
A window pops up, which requires you to select certificate type and upload a certificate.

Note: You can ONLY upload 20 trusted certificates.
In the Certificate Type drop-down list, choose Trusted Certificate.
Click Browse to select the desired certificate.
Click Upload.

Result: The certificate is uploaded successfully, and is displayed on Certificates list.