Introduction

iraSwitch supports completely secure VoIP calls with TLS and SRTP support. The default configuration achieves this using a self signed certificate. This document explains the process of switching from self signed to a commercial CA signed certificate.

Most commercial web server certificates should work for iraSwitch. For example, Let's Encrypt and Go Daddy DV SSL web server certificates are tested to work with iraSwitch.

Buying and Downloading the certificate

Generating CSR and Private Key

Prior to purchasing a cert, you might need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

First, create a folder to put all the ssl certificates.

 

Then, generate a private key named example.com.key, and a CSR named example.com.csr.

 

At this point, you will be prompted for several lines of information that will be included in the certificate request. The most important part is the Common Name field which should match the name that you want to use your certificate with - for example, example.com, www.example.com, or (for a wildcard certificate request) *.example.com.

This will generate two files:

• example.com.key : The private key.

• example.com.csr : The CSR file.

Now you can purchase the certificate. You will have to copy and paste the content of the CSR file in the request for a SSL certificate. You can get the file content using the command below.

 

Download Certificate

The CA will now verify that you control the domain. In the case of Godaddy, you will receive an email as soon as your SSL certificate is issued with a link to download it. Select Apache from the server type dropdown menu and download the zip archive. It should contain two .crt files.

• Your SSL Certificate with a random name (Ex. 93rfs8dhf834hts.crt)

• The GoDaddy intermediate certificate bundle (gd_bundle-g2-g1.crt)

Rename the first one as example.com.crt and the second one as intermediate.crt.

Note: Some commercial CAs will also have an option to automatically generate the CSR and private key on their web portal. You can choose to opt for the same. Ensure the bundle you download from the CA web portal has the CSR and the private key files included.

Removing passphrase from certificate key

iraSwitch does not support password protected certificate keys from SSL. If your keys are already password protected, you can remove them using the method below.

Removing a passphrase using OpenSSL

1. Copy the private key file into your OpenSSL directory (or specify the path in the command below).

2. Run this command: openssl rsa -in [original.key] -out [new.key]

3. Enter the passphrase for the original key when asked

4. The output file [new.key] should now be unencrypted. To verify this open the file with a text editor and check the headers.

Encrypted headers look as below:

 

Unencrypted headers look as below:

 

Install Certificate On Server

iraSwitch requires the certificate, intermediate certificates(if any) and the private key all included in a single pem file. Upload example.com.crt and intermediate.crt inside the folder you've created before. 

You can use this command to create a combined file called example.com.full.pem:

 

Now before copying the contents of this file to the iraSwitch cert folder, let's create a backup of the current certificate.

 

Now let us replace the certificates

 

Now restart iraSwitch for the change to take effect.

 

Verification

In order to verify that the new certificate is being used, we can use the openssl secure client by running the command below.

 

Replace the placeholder with the actual IP address or hostname. For example, if the server IP address is 10.20.30.40, then the command will be:

 

Cross check the CA name and the other details.