Ctrlk

Adding TLS Certificates

This article describes how to import certificates. These certificates are later grouped into TLS Profiles, which is the first step in configuring secure SIP on ProSBC.

Certificates enable secure connections: HTTPS to the web portal, and secure SIP calls via TLS. Certificates are organized into TLS Profiles used by SIP signaling interfaces.

ProSBC manages two categories of certificates, each displayed in its own table on the Configuration tab:

  • Trusted Certificates: Certificate Authorities (CA) used to validate incoming TLS connections.

  • Local Certificates & Private Keys: identity certificates for this system, paired with private keys to establish TLS connections and serve HTTPS.

Default self-signed certificate (toolpack_cert)

Each system includes a default self-signed certificate used by TLS profiles that have no explicit local certificate assigned and by the Web service for HTTPS connection. This certificate is system-managed and does not appear in the certificate list.

Changes in software version 3.3.15

The certificates table is split into two separate tables: Trusted Certificates and Local Certificates & Private Keys.

If you are using an older version of Toolpack, all certificates appear in a single table regardless of type, and private key management is not available through the web portal.

Key differences introduced in 3.3.15:

  • Private keys can be pasted directly in the certificate form (uploading via SSH to the filesystem is no longer required, but still supported).

  • Key status is visible on both the Configuration and Status tabs.

  • Orphan key detection (key files on disk with no matching certificate).

  • Safety confirmations.

  • HTTP transport warning: submitting a local certificate with a private key over plain HTTP requires acknowledging an unencrypted-transmission warning.

  • Removal of the "Intermediate" certificate type. During the upgrade process, the existing "intermediate" certificates are moved under the "trusted" type.

Configuration Tab Overview

From the navigation panel, select Certificates under the Security group.

The Configuration tab displays two separate tables.

Screenshot 1: Full Configuration tab showing both tables. "Trusted Certificates" table on top with columns Name | Type | Actions, and "Local Certificates & Private Keys" table below with columns Name | Certificate | Private Key | Actions. Include at least one entry in each table
Configuration tab with both tables populated

The Trusted Certificates table shows the name, type (Trusted), and a delete action for each entry.

The Local Certificates & Private Keys table shows the name, the presence of a certificate record and the presence of the private key file, and a delete action for each entry.

Certificate Name Rules

  • Valid characters: a-z, A-Z, 0-9, _ (underscore), - (dash), and spaces

  • Private Key files are stored with lowercase names: a certificate named MyCert produces mycert.key

Adding a Trusted Certificate

  1. Click Create New Trusted Certificate.

  2. Enter a valid name for the certificate.

  3. Paste the PEM-encoded certificate text into the Certificate field.

  4. Click Create.

Screenshot 2: Create form with Certificate Type set to "Trusted", name filled in, and PEM text pasted in the Certificate field. The Certificate Type dropdown should be visible.
Create Trusted Certificate form

Adding a Local Certificate

Local certificates identify this system to remote parties. They require a matching private key.

  1. Click Create New Local Certificate.

  2. Enter a valid name for the certificate.

  3. The Certificate Type field displays Local (read-only).

  4. Paste the PEM content into the Certificate field. The content may include:

    1. The certificate block (-----BEGIN CERTIFICATE-----)

    2. Optionally, a private key block (-----BEGIN PRIVATE KEY-----)

  5. Click Create.

Since toolpack version 3.3.15, Private keys can be pasted directly in the certificate form. On previous versions, the private key file must be uploaded through SSH or SFTP connection. See Upload Private Key file into the system for instructions

If the PEM content contains a private key, it is automatically extracted and stored as a key file on the filesystem. A confirmation message appears: "Certificate was successfully created. 1 private key stored."

If the PEM content contains only the certificate (no private key), the certificate is saved without a key file. The Private Key column on the Configuration tab shows No until a key is provided via a subsequent edit.

Screenshot 3: Create form for a LOCAL certificate. The Certificate Type should show as a read-only "Local" label (not a dropdown). The Certificate field should contain PEM text with both a CERTIFICATE and PRIVATE KEY block visible.
Create Local Certificate form / HTTP transport warning with checkbox

Upload Private Key file into the system

Through SFTP or SSH connection, copy the private key in the /lib/tb/toolpack/pkg/ssl_certificate/ directory.

The private key file and certificate name must have the same basename (except the extension)

Example with scp command

Editing a Local Certificate

  1. Click the certificate name in the Local Certificates & Private Keys table.

  2. The edit form shows the current certificate content and a Private key status indicator:

    1. Present: a key file exists on disk for this certificate.

    2. None: no key file found.

  3. Modify the PEM content as needed and click Save.

If the submission contains a private key block and a key file already exists, a confirmation dialog will appear. This prevents accidental key replacement.

HTTP Transport Warning

When adding or editing a Local Certificate over plain HTTP (not HTTPS), a security warning is displayed and must be acknowledged:

Warning: This page is accessed over HTTP. Certificate and private key content will be transmitted unencrypted.

This prevents accidental transmission of private key material over an unencrypted connection.

Supported PEM Block Types

Local certificates

One CERTIFICATE PEM block is accepted, optionally with one PRIVATE KEY PEM block.

The following are rejected:

  • ENCRYPTED PRIVATE KEY: Encrypted private keys are not supported.

  • Multiple PRIVATE KEY blocks: Only one private key block is allowed per submission.

  • Multiple CERTIFICATE blocks: Only one certificate block is allowed per submission.

Trusted certificates

Multiple CERTIFICATE blocks are accepted.

List of Parameters

PreviousCreating TLS CertificatesNextConfiguring TLS Profiles

Last updated

Was this helpful?