# Adding TLS Certificates Certificates enable secure connections: HTTPS to the web portal, and secure SIP calls via TLS. Certificates are organized into [TLS Profiles](/configuration-details/configuration-by-web-portal-category/sip/tls-srtp/configuring-tls-profiles.md) used by SIP signaling interfaces. ProSBC manages two categories of certificates, each displayed in its own table on the Configuration tab: * **Trusted Certificates**: Certificate Authorities (CA) used to validate incoming TLS connections. * **Local Certificates & Private Keys**: identity certificates for this system, paired with private keys to establish TLS connections and serve HTTPS. {% hint style="info" %} **Default self-signed certificate (toolpack\_cert)** Each system includes a default self-signed certificate used by TLS profiles that have no explicit local certificate assigned and by the Web service for HTTPS connection. This certificate is system-managed and does not appear in the certificate list. {% endhint %} {% hint style="info" %} **Changes in software version 3.3.15** The certificates table is split into two separate tables: Trusted Certificates and Local Certificates & Private Keys. If you are using an older version of Toolpack, all certificates appear in a single table regardless of type, and private key management is not available through the web portal. Key differences introduced in 3.3.15: * Private keys can be pasted directly in the certificate form (uploading via SSH to the filesystem is no longer required, but still supported). * Key status is visible on both the Configuration and Status tabs. * Orphan key detection (key files on disk with no matching certificate). * Safety confirmations. * HTTP transport warning: submitting a local certificate with a private key over plain HTTP requires acknowledging an unencrypted-transmission warning. * Removal of the "Intermediate" certificate type. During the upgrade process, the existing "intermediate" certificates are moved under the "trusted" type. {% endhint %} ## Configuration Tab Overview From the navigation panel, select Certificates under the Security group.

The Configuration tab displays two separate tables.

Screenshot 1: Full Configuration tab showing both tables. "Trusted Certificates" table on top with columns Name | Type | Actions, and "Local Certificates & Private Keys" table below with columns Name | Certificate | Private Key | Actions. Include at least one entry in each table — Configuration tab with both tables populated

The Trusted Certificates table shows the name, type (Trusted), and a delete action for each entry. The Local Certificates & Private Keys table shows the name, the presence of a certificate record and the presence of the private key file, and a delete action for each entry. ## Certificate Name Rules * Valid characters: `a-z`, `A-Z`, `0-9`, `_` (underscore), `-` (dash), and spaces * Private Key files are stored with lowercase names: a certificate named MyCert produces mycert.key ## Adding a Trusted Certificate 1. Click Create New Trusted Certificate. 2. Enter a valid name for the certificate. 3. Paste the PEM-encoded certificate text into the Certificate field. 4. Click **Create**.

Screenshot 2: Create form with Certificate Type set to "Trusted", name filled in, and PEM text pasted in the Certificate field. The Certificate Type dropdown should be visible. — Create Trusted Certificate form

## Adding a Local Certificate Local certificates identify this system to remote parties. They require a matching private key. 1. Click **Create New Local Certificate**. 2. Enter a valid name for the certificate. 3. The **Certificate Type** field displays Local (read-only). 4. Paste the PEM content into the Certificate field. The content may include: 1. The certificate block (`-----BEGIN CERTIFICATE-----`) 2. Optionally, a private key block (`-----BEGIN PRIVATE KEY-----`) 5. Click **Create**. {% hint style="info" %} Since toolpack version 3.3.15, Private keys can be pasted directly in the certificate form. On previous versions, the private key file must be uploaded through SSH or SFTP connection. See [Upload Private Key file into the system](#upload-private-key-file-into-the-system) for instructions {% endhint %} If the PEM content contains a private key, it is automatically extracted and stored as a key file on the filesystem. A confirmation message appears: "Certificate was successfully created. 1 private key stored." If the PEM content contains only the certificate (no private key), the certificate is saved without a key file. The Private Key column on the Configuration tab shows No until a key is provided via a subsequent edit.

Screenshot 3: Create form for a LOCAL certificate. The Certificate Type should show as a read-only "Local" label (not a dropdown). The Certificate field should contain PEM text with both a CERTIFICATE and PRIVATE KEY block visible. — Create Local Certificate form / HTTP transport warning with checkbox

### Upload Private Key file into the system Through SFTP or SSH connection, copy the private key in the `/lib/tb/toolpack/pkg/ssl_certificate/` directory. {% hint style="warning" %} The private key file and certificate name must have the same basename (except the extension) {% endhint %} {% hint style="info" %} Example with `scp` command ``` scp my_local_cert.key root@MyFreeSbcHostName:/lib/tb/toolpack/pkg/ssl_certificate/ ``` {% endhint %} ## Editing a Local Certificate 1. Click the certificate name in the Local Certificates & Private Keys table. 2. The edit form shows the current certificate content and a Private key status indicator: 1. Present: a key file exists on disk for this certificate. 2. None: no key file found. 3. Modify the PEM content as needed and click Save. If the submission contains a private key block and a key file already exists, a confirmation dialog will appear. This prevents accidental key replacement. ## HTTP Transport Warning When adding or editing a Local Certificate over plain HTTP (not HTTPS), a security warning is displayed and must be acknowledged: > Warning: This page is accessed over HTTP. Certificate and private key content will be transmitted unencrypted. This prevents accidental transmission of private key material over an unencrypted connection. ## Supported PEM Block Types ### Local certificates One `CERTIFICATE` PEM block is accepted, optionally with one `PRIVATE KEY` PEM block. The following are rejected: * `ENCRYPTED PRIVATE KEY`: Encrypted private keys are not supported. * Multiple `PRIVATE KEY` blocks: Only one private key block is allowed per submission. * Multiple `CERTIFICATE` blocks: Only one certificate block is allowed per submission. ### Trusted certificates Multiple `CERTIFICATE` blocks are accepted. ## List of Parameters * [Name](/configuration-details/configuration-parameters-all.md#parameter-name) * [Certificate Type](/configuration-details/configuration-parameters-all.md#parameter-certificate-type) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://prosbcdocs.telcobridges.com/configuration-details/configuration-by-web-portal-category/sip/tls-srtp/adding-tls-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.