HTTPS
- Kelli Higdon
Introduction
The Vega gateways use SSL to secure web traffic to the administration interface. This ensures that the identity of the remote gateway can be authenticated and that any information transmitted cannot be intercepted by third parties.
Types of TLS Certificates for HTTPS
Self signed
By default a Vega gateway will use an self-signed certificate. This means that the identity of the gateway cannot be asserted. Data is still encrypted and cannot be intercepted. This setup is acceptable for lab testing and in privates networks.
When using the self-signed certificate there a warning will be displayed in the browser and it is necessary to explicitly allow this exception.
Certificate Authority Certificates
To provide optimum security the use of a signed certificate is highly recommended. This certificate provides proof that the server being accessed is the one that the user thinks they are connecting to. It can be issued by either a private Certificate Authority (CA) or an external third-party one.
In the case of a private CA it will be necessary to add the root certificate of the CA to the client browser. The use of an external third-party CA avoids this requirement. The identity of the server and organisation is verified by the CA before they issues the server certificate. The root certificates used by third-party CAs are installed in most browsers and provide a chain of trust that the user can rely on.
Installing TLS Certificates for HTTPS
Requirements
Certificate Bundle
Obtaining TLS certificates depends on the which public or private CA is in use. Please see the documentation for your CA or private CA software for details on obtaining these certificates. The examples given here use certificates obtained from the free LetsEncrypt CA service but should apply to other CA services.
After obtaining a certificate bundle from the CA we will be have a number of files. For use with Vega these should all be in .pem format
cert.pem | The certificate that verifies the identity of the server |
chain.pem | The certificate chain that ties the server certificate back to the root CA certificate |
privkey.pem | The private key that is used by the server to secure communications |
DNS Name Resolution
To enable the user to assert the identity of the server it is necessary to have a DNS entry for the Vega gateway. The browser will verify the server name in the certificate against the DNS entry and give a warning if they do not match.
Uploading
Connect to the Vega UI using the DNS name e.g. https://vega-60g.qa.sangoma.com. The browser will give a warning about an invalid certificate. Ignore this warning and proceed.
Go to the Configuration>Export>System>Upload/Download files
In the TLS section upload each file in turn
Certificate File | cert.pem |
Key File | privkey.pem |
Root Certificate File | chain.pem |
To upload a file
select "Choose File" and browse to the relevant file.
Once you have chosen the file select "Upload"
When all three files have been uploaded select "Reboot system"
Once the system has rebooted you can reconnect to the UI and the browser should now show a secure connection, indicated on this browser by a padlock in the address bar.
Â