Setting up Equinox on IP Office R11 Server Edition/hosted with Self Signed Certificate
In order to get Equinox client to securely connect to Server Edition or Hosted IP Office, we need to have a certificate. In a previous document, we showed how to create a 3rd party certificate, but maybe you don’t want to use 3rd party, maybe you want to leverage IP Office’s ability to create a self-signed certificate.
1 million foot view of the differences. Certificates that have been signed by a Certificate Authority go through some level of validation and there are only a finite number of Certificate Authorities worldwide. Most devices / browsers already have the Certificate Authorities Intermediate Certificate installed and can therefore easily validate the authorities certificate chain. Depending on the purpose / usage of a certificate would define the level of validation (and cost) associated with those certificates. The plus side to Signed Certificates is that there is no need to load self signed certificates onto most browsers or devices as they are already trusted. The Downside however is that signed certificates have to be maintained on an annual basis and updated before they expire.
Self Signed certificates on the other hand can be created to last as long as ~ 7 years, but it means that every device needs to have the Self Signing Root authorities certificate loaded to its trusted Authority Store, which is generally a manual process in most cases. The Advantage though is that you don’t have to maintain the certificate each year, however Self Signed certificates are easier to be compromised. The other disadvantage is that while you may not have to update the certificates quite so often, generally the devices are being replaced or updated on a regular enough basis that involves reinstalling the certificates anyhow.
So the question becomes does the cost of getting proper signed certificates outweigh the costs of the headaches involved with using Self Signed Certs.. That is a question that would need to be answered with input from your customer.. (I am not a security guy, and may be way off base, but that is good enough for this discussion).. For the Purposes of this guide though we will be using Self Signed Certificates
So, first we need to create the self-signed certificate. Log into Web Manager and go to Platform View>Settings. Scroll down until you see the Certificates section.
.
- Enable the setting Platform View | Settings | General | Certificates | Identity Certificates | Renew automatically.
- If you are spinning up a new Server, Select the option for “Create New”
- Enter Subject Name and Subject Alternate Name(s).
- Select Regenerate and Apply on the bottom
- If you already have created a certificate for this system, you can Just click on “Download (DER-encoded)” for the root-ca.crt, and the bottom “Download (DER-encoded)” for the cert.crt.
- Distribute the certificates to all clients and browsers (browsers are not covered here, but a google search can help you). See below for how to install the certificates on various devices.
- (You can either email the certificates to users, or you can put them on a file share somewhere)
Now that we have our certificates on the server side, we need to look to the client side.
To install certificates for MAC, see below.
First Lets Look At MAC
If we try to set up Equinox on MAC, we get certificate errors. Since we are doing this manually, and we have already discussed how to Automate Equinox Implementation Here…we will configure the client manually.
Open Equinox and select “Configure My Account”. Then click on the “Options” sprocket in the upper right corner, and select “Use Web Address”.
Now you will need to enter the configuration URL for Equinox, AKA, 46xxsettings.txt file… enter url: https://ipofficeassistance.com/46xxsettings.txt
(replace “ipofficeassistance.com” with your FQDN)
As you can see, since we have not yet installed the certificate on the MAC, we get “Invalid Certificate”.
Lets install the cert, and see what happens. Now you need the certificates you downloaded on the MAC. Click on the certificate and “Keychain Access” opens.
Immediately, it doesn’t recognize the certificate, so we need to manually befriend it.
On the certificate click the arrow to the left of “TRUST”, and you will see that “Use System Defaults” is in the field. Change that to “Always Trust”. This says that you will trust this certificate. and once you do, the inset picture, shows the certificate trusted (by the lack of red)
Now, when we go into our Equinox client, and try to enter the URL to configure the client, we do NOT get the Certificate error, but rather are automatically taken to the next screen to enter the Extension Number and password.
See that once we log in, there are no errors for the certificate, and we are set up with TLS enabled.
Remember to install both Certificates…
Windows Setup
Same as MAC, our login screen wont let us get to the Extension/Password screen as the certificate is not trusted.
Once you download the files to your PC, double click on the first one. This will open an installer wizard. Clikc on the button to “Install Certificate”
Select “Local Machine” and press next.
- Now you will get a pop-up asking where to install the cert. Select “Place all Certificates in the following store“, which will bring another pop-up, asking which Certificate Store you wish to install them in.
- Select “Browse” to define where to install the cert.
- Select “Trusted Root Certification Authorities“
- Click “OK“
- Click “Next“
After all that, you will get a pop up that the certificate has been installed.
Now that we are done, you can click “OK” to close the certificate.
Remember to install both Certificates…
Android Setup
So, if you open Equinox on your Android phone, you will see the certificate error from Android.
So, we now need to somehow get the certificates to your Android Phone. once you have them downloaded, just click on them, you are prompted to name it, and install it. The name is Arbitrary, so it doesn’t matter.
Once installed, you can go back to the Equinox Client, and see that the cert is now good, and enter your extension number and password..
Remember to install both Certificates…
iOS Setup
(sorry for the pictures, i dont have na iPhone, so i used an iPad)
Open iPhone, and you see that Equinox, as expected, does not have a valid certificate.
So, we need to email the certificates to our iOS device.
Once you click on the certificate, it shows the current status of the certificate. Click on the “Install” button.
You will first get a warning (top picture below) so click “Install” again. And (bottom picture) Install 1 last time.
You would think that would be enough, but the latest iOS will make you trust that certificate, so navigate to:
Settings > General > About > Certificate Trust Settings. (you have to scroll down to see it). There you will see the “ipoffice-root” is not enabled. click to enable it, and you will be warned 1 more time…
But, now you will see that the certificate is actually, trusted….YAY!
Now we can go back, and with a trusted certificate, we can enter Extension info, and get logged in….
Remember to install both Certificates…
