Skip to content

Manage Certificates

The Certificate Manager handles SSL/TLS certs for Web Admin GUI (HTTPS), UCP, and TLS SIP. Free Let's Encrypt certs auto-renew. Self-signed and uploaded certs are also supported.

Before You Start

  • For Let's Encrypt: a public FQDN for UnifiedBX, with port 80 reachable from the internet (LE uses HTTP-01 challenge).
  • For uploaded certs: the cert (.crt or .pem), private key (.key), and intermediate chain.

Steps

Generate a Let's Encrypt certificate

  1. Go to System Admin → Certificate Manager.
  2. Click + New CertificateGenerate Let's Encrypt Certificate.
  3. Fill in:
    • Hostname — your public FQDN, e.g. pbx.client.com.
    • Country / State / etc. — required by LE.
    • Email — for renewal notifications.
  4. Submit.
  5. UnifiedBX requests the cert from Let's Encrypt; this takes 30-60 seconds.
  6. Once issued, set the cert as the Default Certificate so HTTPS uses it.

Generate a self-signed certificate

For internal-only PBXs without public DNS:

  1. Certificate Manager+ New CertificateGenerate Self-Signed Certificate.
  2. Fill in CN/details.
  3. Submit.

Browsers will warn (untrusted cert) — fine for internal trusted networks.

Upload a custom certificate

  1. Certificate Manager+ New CertificateUpload Certificate.
  2. Paste cert (PEM format), private key, and chain.
  3. Submit.

Set the default cert

  1. In the cert list, click Default next to the cert you want to be the active one.
  2. Apply Config.

Use the cert for SIP TLS

  1. Certificate Manager → cert details → enable Asterisk usage.
  2. Apply Config.
  3. The cert is now usable in PJSIP transport configs (for tls transport on extensions/trunks).

Verify

# Check the active cert:
openssl s_client -connect <unifiedbx-fqdn>:443 -servername <unifiedbx-fqdn> < /dev/null | openssl x509 -noout -dates -subject -issuer

# Should show issuer=Let's Encrypt and your subject CN.

Renewal

Let's Encrypt certs auto-renew via cron 30 days before expiry. Verify:

crontab -l -u asterisk | grep -i cert
fwconsole certificates --updateall

If renewal fails, Certificate Manager shows a warning. Click Renew manually.

Common Issues

  • LE issuance fails: "Failed to verify ownership." Port 80 not reachable from internet, or domain DNS doesn't point at this host. Test: curl -I http://<fqdn> from outside.
  • Browser still shows old cert. Apache cache; restart Apache: systemctl restart httpd.
  • Cert installs but UCP still shows insecure. UCP uses its own port (often 8443) and may need the cert applied separately in System Admin → Sysadmin → HTTPS Setup.
  • SIP TLS handshake fails. Cert not enabled for Asterisk usage, or PJSIP transport not configured for TLS. Check pjsip show transports.