How to Configure Secure SIP – TLS

Ozeki Phone System supports TLS in order to make the SIP communication secure. This guide will provide detailed information about how to setup Ozeki Phone System with Secure SIP (TLS). In this way, the SIP messaging will be encrypted. You can see how to create certificates with Simple CA, use Microsoft’s inbuilt importer for trusted certificates. And finally you will see how to configure IP phones to communicate SIP securely.

Prerequisites

First of all, download and install Ozeki Phone System, then download and extract SimpleCA to C:\SimpleCA\. The certification process has a time dependency, so the correct time settings need to be set in the Control Panel.

Download SimpleCA

Step 1) Creating certificates and keys

Run SimpleCA with the SimpleCA.exe file. You need to set up root CA. Select your country, organization and enter the new username and password, then click OK.

set up root ca
Figure 1 - Set up root CA

In the Server Certificates menu choose New Server Certificate Request.

new server certificate request
Figure 2 - New server certificate request

Enter you country, state or province name, locality name, organization, organization unit, e-mail address and set the field common name to the IP address on which Ozeki Phone System will listen for incoming TLS connection requests. Once done, click OK. If you provide a domain name instead of the IP address, you need to give this domain name (not the IP address) when you will register your softphone to the PBX. You will be prompted to save this (unsigned) certificate.

create new server certificate request
Figure 3 - Create new server certificate request

Then give a name for the Certificate Signing Request.

save csr file
Figure 4 - Save the csr file

In the Server Certificates menu choose Sign Server Certificate Request and select the previously created .csr file.

sign server certificate request
Figure 5 - Sign server certificate request

Check the given data and click OK to proceed to the next step.

click ok
Figure 6 - Click Ok

Enter the same password you used, when you created the Root CA.

enter ca key password
Figure 7 - Enter CA key password

Simple CA will generate a pair of files, the security certificate (with .crt extension) and its decryption key (with .key extension).

created files
Figure 8 - Created files

Step 2) Configuring Ozeki Phone System with TLS

After you have created the certificates, you need to allow TLS in your PBX settings and add the created certificates, as well.

First open your PBX, then select PBX Features menu from the top of the web page, and select Preferences.

open preferences
Figure 9 - Open Preferences

Now, enable the checkbox belongs to Use TLS transport type, type a port number to the textbox of Secure SIP Service port on which the PBX will receive secure connections and click on OK button.

enable tls
Figure 10 - Enable TLS

Now, select TLS certificates menu from the left side of the web page, then click on Add button.

select tls certificates
Figure 11 - Select TLS certificates

Here, you need to specify an IP address on which the certificate will be used. If the ANY ADDRESS option is selected, the opened certificate will be used on every network interface where no other certificates are in use. In the .crt textbox you need the specify the path of the previously created .crt file (e.g. 192.168.115.174.crt), while in the Private key textbox the path of the .key file (e.g. 192.168.115.174.key) has to be specified.

select tls certificates click ok
Figure 12 - Select TLS certificates click Ok

Step 3) Configuring the client PC (on which the softphone is installed)

Now, you need to register your own phone certificate on the machine where your softphone is installed. Now, open the main directory of your simpleca software, find ca.crt file (not the 192.168.115.174.crt file) and double-click on it.

open ca file
Figure 13 - Open ca file

Click on Install Certificate... button to enable this certificate.

click on install certificate
Figure 14 - Click on Install Certificate

Click on Next button.

certificate import wizard
Figure 15 - Certificate import wizard

Then, select Place all certificates in the following store and click on Browse button.

certificate store
Figure 16 - Certificate store

On the next window, select Trusted Root Certification Authorities to be used. Then click on Ok and Next buttons.

select certificate you want to use
Figure 17 - Select the certificate you want to use

The certificate will be imported after you click on Finish button.

completing certificate import wizard
Figure 18 - Completing the Certificate Import Wizard

On the next window, click on Yes button to confirm the installation of this certificate.

security warning
Figure 19 - Security warning

Step 4) Configuring Bria and 00_OzekiDemoSoftphoneWPF to use TLS

In your Bria client go to File - > Account Settings then select an account and click Edit. On the Account tab, modify the Proxy Address. The port number should be 5061 by default.

modify proxy address
Figure 20 - Modify proxy address

Go to Security tab and select the TLS for signaling transport. Finally click OK.

select signaling transport
Figure 21 - Select signaling transport

The following figure shows how to setup 00_OzekiDemoSoftphoneWPF (http://www.voip-sip-sdk.com/) to use TLS. You need to provide the SIP account data, the IP address or domain name that you have provided when you created the certificate. And you need to select Tls transport type.

select tls transport type
Figure 22 - Select tls transport type

Conclusion

In this guide, you could read about how to setup TLS in your Ozeki Phone System. You could see how to make certificates and keys, how to apply it in Ozeki PBX, and how to configure your softphone to use TLS for communication.

If you have any questions or need assistance, please contact us at info@ozekiphone.com

Dig deeper!
People who read this also read...

More information