Using anything under TLS1.2 is considered insecure and open to exploits. You’ve had to enable older versions to make this device work and then had to generate a private signed cert. This is not the appropriate level of security.
2 Likes
The server certificate which I generated is version 3 and enables me to use TLS1.2 on all my extensions. This is not the self-signed certificate which I used in the second step and which was created by FreePBX. I don’t understand the point behind considering self-signed certificates useless outside a LAN.
All root certificates are self-signed!
I would say that, with proper control of how it or its fingerprint is initially distributed, a privately created root certificate is much more secure than any public one. All public ones are dependent on how thoroughly the issuer verifies the identity and ownership of the issuer of the certificate.
The main weakness for most people is that they have too many public root certificates enabled. I would expect really secure environments that aren’t completely system high, would not allow any public issuers. (If they are completely system high, they will have no access to the outside world.)