MiTel System Web Server Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ctainc.com

I ran this command: None - I'm trying to secure a Web Server Certificate through a CSR

It produced this output: None

My web server is (include version): MiCollab 8.1.2.8

The operating system my web server runs on is (include version): MiTel standard Linux 10.6.14

My hosting provider, if applicable, is: Shopify

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Let's Encrypt is poorly-suited for web hosting that requires manually dealing with CSRs. It can be done, but requires manual intervention on a regular basis to renew it. The idea is that renewal can happen automatically by the web hosting running software on their site that handles everything for you, so that you don't need to manage the CSR manually. Now, I'm not really that familiar with Shopify, but they're listed as a "Major Sponsor" on Let's Encrypt's home page, so I'm guessing that they have an easier solution somewhere that just integrates with Let's Encrypt directly, and maybe you just need to look for the button in the right place or contact them to learn how to enable it?

2 Likes

Thanks for the speedy reply. Shopify keeps telling me "not my job" but I don't believe them since they host my site. Now, the SSL certificate is through Let's Encrypt of course so there's got to be a linkage as you say. Do you have the decoder ring by chance? :slight_smile: Just fyi - IF I had web access from my MiTel server, there actually is a Third-Party certificate validation process that will automatically renew every 60 days. It's a very cool feature but because I've opted to not create vulnerability in my phone system, I can't take advantage of it. I'll keep knocking at Shopify's front door if there's no other way.

1 Like

I'm rather confused; this sounds like you already have a Let's Encrypt certificate? What exactly are you trying to do to what? I'm probably just confused since I'm not familiar with the terms "MiTel" or "MiCollab", but perhaps other people here are.

2 Likes

My MiTel phone system requires a web server certificate because it uses web services for our customer service reps and voice recording. When my web site was hosted by GoDaddy and SSL provided there, I would send a CSR through there process and I received back a Web Server Certificate - Zip file with three files. The actual instructions are: If you would like to install a web server certificate that is issued by another third-party Certificate Authority (CA), you must first generate a Certificate Signing Request (CSR) which you can then send to the Certificate Authority.

Once the Certificate Authority has issued you a web server certificate, you can upload it using the 'Upload and install' option below. This option may also be used if you want to import a private key and web server certificate from a different server.

To download the currently installed web server certificate and private key, select the 'Download' option below. The resulting file will be a ZIP file containing the private key, the current web server certificate, and an intermediate certificate if one is installed.

It is that Certificate with the three embedded files that I'm looking to upload to my phone server. Make sense?

Are your phone system and your website independent systems?

Do you need a certificate for the website or the phone system?

In the first case, Shopify should get one by themselves. In the second case, you should probably hear the support for your phone system, to get automatic renewal.

If you want to issue a certificate manually, if you have access to your DNS control panel you can. But you'll have to do that every 60-90 days, and you will forget at least once. Automation is very preferable.

1 Like

Those sound like two independent systems.
Are you using the exact same FQDN for both?

1 Like

That seems to be with register.com right?

It looks like you need to forget about your website certificate and concentrate on just getting a certificate for your MiTel system. The system will have it's own name that's probably different to your website name, e.g. mitel.ctainc.com or something, and I'd bet that your old cert was for *.ctainc.com so it covered any other subdomain name.

Certbot (the official acme client for Let's Encrypt) has a --csr command line option you can use with the certonly mode: User Guide — Certbot 1.24.0 documentation

Validating your domain for your certificate order needs to be either via your webserver (on the internet, with the same name as your phone system domain) or using DNS (so Let's Encrypt can check a TXT record you have created/updated just for the cert renewal). I think in your case you would need to use DNS validation, but I'm not sure if register.com offer an API for their DNS, and if not that will make renewals harder - you could use something like acme-dns etc but that's starting to get complex.

Depending on how much time and effort you want to commit to this task you can definitely achieve this using Let's Encrypt. You may want to weigh that effort against just buying a certificate.

If your phone system webserver is only used internally you do also have the option of running your own little internal CA (https://smallstep.com/docs/step-ca or Windows AD CS) where you distribute the root cert to your client machine so they can all trust it internally.

3 Likes

webprofusion - Excellent insights and I believe you're on to my solution. Although some of what you explained is a bit over my head, I get the general idea. The previous GoDaddy cert was for *.ctainc.com and I did decide, before reading your reply, the way to go would be to just purchase the SSL to move this forward, However, I think I made the error and placed it as www.ctainc.com instead of a wildcard. Anyway, with your help I think I can probably work through this. I very much appreciate your direction.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.