Update Certificate for Yeastar Central Management Domain Name

To ensure normal access and secure usage of Yeastar Central Management, it is essential to periodically renew the domain certificates to prevent it from expiring. This topic describes how to update certificate for Yeastar Central Management domain name on the web portal.

Note: Yeastar Central Management monitors the validity of the domain name certificate. When it comes to 30 days, 15 days and 7 days before the expiration date, or on the day, a Yeastar Central Management Domain Name Certificate Expired alarm is triggered, and the system proactively sends emails to notify the contacts added in Alarm > Notification Contacts.

Introduction

Yeastar Central Management supports two methods for domain certificate management:
  • DNS API Mode: The system automatically interacts with your DNS provider's native API to complete certificate issuance and renewal. It dynamically adds and removes DNS TXT records required for ACME challenge, handling issuance and renewal without manual intervention. This method requires you to provide API credentials for your DNS provider.

  • DNS Alias Mode: The system uses ACME delegation via CNAME record to complete certificate issuance and renewal without requiring any API credentials. You manually add a one-time, static DNS CNAME record during initial setup to delegate SSL verification authority. After that, the system handles certificate renewal automatically.

Prerequisites

Complete the following preparations based on your chosen method for domain certificate management.

Mode Prerequisite
DNS API Mode
  • The firmware version of Yeastar Central Management is 87.14.0.31 or later.
  • You have added your desired DNS provider and the API credentials in the system
  • Ensure that you have added the appropriate DNS record (A record) for your domain at your DNS provider.
  • For manual certificate update, you need to obtain the new domain name certificate, including certificate file and private key.
    Note:
    • Yeastar P-Series Cloud PBX uses NGINX as web server, so the certificate should be compatible with NGINX server.
    • RSA private key and EC private key are supported.
DNS Alias Mode
  • The firmware version of Yeastar Central Management is 87.19.0.76 or later.
  • You have added your desired DNS provider for DNS Alias mode in the system.
  • Ensure that you have added the appropriate DNS record (A record) for your domain at your DNS provider.
  • For manual certificate update, you need to obtain the new domain name certificate, including certificate file and private key.
    Note:
    • Yeastar P-Series Cloud PBX uses NGINX as web server, so the certificate should be compatible with NGINX server.
    • RSA private key and EC private key are supported.

Configure CNAME record (for DNS Alias Mode)

Note: If you use DNS API mode for domain certificate management, skip this step.
  1. Obtain the CNAME target for Yeastar Central Management domain.
    1. Log in to Yeastar Central Management, go to System > Domains > Yeastar Central Management Domain Name.
    2. In the Operations column, click .

    3. In the pop-up window, select Apply for a certificate.
    4. In the DNS Provider drop-down list, select the DNS provider you added for DNS Alias Mode.
    5. Note down the Certificate CNAME Record Name and Certificate CNAME Record Target Domain.

  2. Configure CNAME record on your DNS provider.
    1. Log in to your DNS provider's management console.
    2. Add a CNAME record for your domain name to point the validation domain names to the CNAME target domains generated by Yeastar Central Management.
      Domain Name Record Type Target Domain
      YCM Server's certificate CNAME record name

      _acme-challenge.byoi.yeastar.com

      CNAME YCM Server's certificate CNAME record target domain

      byoi.yeastar.com.cm.acme-alias.com

Update certificateProcedure

  1. Log in to Yeastar Central Management, go to System > Domains > Yeastar Central Management Domain Name.
  2. In the Operations column, click .

  3. In the pop-up window, update the certificate via either of the following methods according to your needs.
    Automatic certificate update
    You can directly apply for a new certificate on Yeastar Central Management, the system will automatically request domain certificates from Let's Encrypt via your DNS provider.

    1. Select Apply for a certificate.
    2. Select your DNS provider in the DNS Provider drop-down list.
    3. Click Confirm.
    Manual certificate update
    1. Select Upload certificate.
    2. Click Browse to select the new certificate and private key respectively.
    3. If you want the system to automatically refresh the certificate, select the checkbox of Automatically refresh the certificate, then select your DNS provider in the DNS Provider drop-down list.
      Note:
      • The system will automatically refresh the certificate 7 days before it expires using the provided DNS provider.
      • If auto-refresh is enabled but your certificate is not from Let's Encrypt, the system will automatically apply for a new one from Let's Encrypt instead.
    4. Click Confirm.
  4. Click Save.

Result

The certificate expiration date is updated to the latest one, indicating that the domain name certificate is renewed successfully.

Tip: You can verify if your SSL certificate is installed correctly by entering your server's domain name on an online SSL checker tool.