I want Sangoma phones to auto-provision via https against
a provisioning-server. To achieve that, I need to add the Root Certificate
that has been used to derive the phones client-cert that the phone is using
to establish the HTTPS connection to the provisioning-server.
The root CA has the following issuer:
C = CA, ST = Ontario, O = Sangoma Corporation, OU = Provisioning, CN = Phone Signing Key (2016-2018), emailAddress = security(at)sangoma(dot)com
Is there any place this root cert can be downloaded?
Maybe I am missing something, but can you not just get a Free certificate from Let’s Encrypt? I am confused why you need a certificate signed by Sangoma. Of course, this is possibly true and I just don’t know the product well enough.
…let me clarify: when the sangoma phone connects to my provisioning server using https, the
server checks the certificate the phone provides when establishing the tls-connection against
a set of trusted roots. As I do not currently have the root cert that has been used by sangoma
to create the provisioning client certs that are stored in each phone, I cannot make sure that
the certificate chain is ok and the establishment of the tls connection fails…
Is this a custom setup? I believe if you’re using FreePBX to generate the certificate, it adds all of the certificate chains to the certificate automatically.
Your 3rd party tool doesnt let you choose not to verify the client cert? I know some phones wont come with client certs unless you order them from an authorized reseller.
Cant you just verify the server cert? And not force to verify client cert?
…sure I can deactivate client cert checking, but that would not be secure, as anyone can fake the mac and get the credentials to register with the sip-server…
Only if you are doing something wrong. FreePBX’s implementation of SysAdmin Pro ($25 one time per PBX) gets you the ability to use authentication for the provisioning requests.
@TobiasE I’m not able to get you an answer to this question immediately. If you want to ensure an answer from Sangoma, I would recommend opening a support case with us for this under the “Phone Hardware” category that way the issue doesn’t get buried.