Sangoma Root Certificate for provisioning


(Topse) #1

Hi everyone,

I want Sangoma phones to auto-provision via https against
a provisioning-server. To achieve that, I need to add the Root Certificate
that has been used to derive the phones client-cert that the phone is using
to establish the HTTPS connection to the provisioning-server.

The root CA has the following issuer:
C = CA, ST = Ontario, O = Sangoma Corporation, OU = Provisioning, CN = Phone Signing Key (2016-2018), emailAddress = security(at)sangoma(dot)com

Is there any place this root cert can be downloaded?

Tobias


(Matt Brooks) #2

Maybe I am missing something, but can you not just get a Free certificate from Let’s Encrypt? I am confused why you need a certificate signed by Sangoma. Of course, this is possibly true and I just don’t know the product well enough.


(Topse) #3

I need to add this root to my trusted certs to be able to check the sangoma devices cert against this root - of course I have my own server-cert…


(Topse) #4

…let me clarify: when the sangoma phone connects to my provisioning server using https, the
server checks the certificate the phone provides when establishing the tls-connection against
a set of trusted roots. As I do not currently have the root cert that has been used by sangoma
to create the provisioning client certs that are stored in each phone, I cannot make sure that
the certificate chain is ok and the establishment of the tls connection fails…


(Matt Brooks) #5

Is this a custom setup? I believe if you’re using FreePBX to generate the certificate, it adds all of the certificate chains to the certificate automatically.


(Topse) #6

…the provisioning server is a 3rd party tool and has nothing to do with freebpx…


(Aaron) #7

Your 3rd party tool doesnt let you choose not to verify the client cert? I know some phones wont come with client certs unless you order them from an authorized reseller.

Cant you just verify the server cert? And not force to verify client cert?


(Topse) #8

…sure I can deactivate client cert checking, but that would not be secure, as anyone can fake the mac and get the credentials to register with the sip-server…


(Jared Busch) #9

Only if you are doing something wrong. FreePBX’s implementation of SysAdmin Pro ($25 one time per PBX) gets you the ability to use authentication for the provisioning requests.

If $25 is too much, you can manually configure Apache to do it. But that will cost you way more than $25 in your time to set up.


(Jared Busch) #10

He is talking about the phones. That certificate has nothing to do with the certificates generated on the FreePBX server.


(Topse) #11

…the $25 ist not the issue - the issue is that I want to use the phone with a totally different SIP-registrar & provisioning server, not FreePBX…


(Matt Brooks) #12

@TobiasE I’m not able to get you an answer to this question immediately. If you want to ensure an answer from Sangoma, I would recommend opening a support case with us for this under the “Phone Hardware” category that way the issue doesn’t get buried.

https://wiki.freepbx.org/display/FPAS/How+To+Open+A+Support+Ticket


(system) closed #13

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.