How to change the SSL certificate in VoipNow

WARNING

This article describes how to change the SSL certificate used by your VoipNow 3 or higher HTTP server.

Overview

This procedure consists of three main steps:

1. Generate CSR and get certificate from CA - Create a certificate signing request and obtain the certificate from your Certificate Authority
2. Install certificate - Copy the certificate to the appropriate location and set correct permissions
3. Restart services - Restart the affected services to apply the new certificate

Requirements

• VoipNow 3 or higher
• SSH access as root
• Certificate from your CA authority

WARNING

For VoipNow 3.0.x users modify in all commands:
/usr/local/voipnow/admin/conf/voipnow.pem with /etc/voipnow/certs/http.pem

Step 1: Generate CSR and get certificate from CA

Generate a certificate signing request (CSR) and private key. Replace the values in the -subj parameter with your information:

Certificate types:

• RSA (recommended) - Better compatibility with phones and older devices
• EC (Elliptic Curve) - Smaller key size and better performance, but may have compatibility issues with some phones

Field descriptions:

• C - Country code (2-letter ISO, e.g., US, GB, DE)
• ST - State or Province
• L - City or Locality
• O - Organization name
• OU - Organizational Unit (department)
• CN - Common Name (FQDN/hostname, e.g., sip.mycompany.com)
• emailAddress - Administrative contact email

Commands:

RSA certificate (recommended for phone compatibility):

# Generate CSR and private key with RSA 2048-bit
openssl req -nodes -newkey rsa:2048 -keyout /root/new.key -out /root/certrequest.csr -subj "/C=US/ST=California/L=San Francisco/O=my company/OU=IT Department/CN=sip.mycompany.com/emailAddress=admin@mycompany.com"

EC certificate (alternative, may have phone compatibility issues):

# Generate CSR and private key with EC (prime256v1 curve)
openssl ecparam -genkey -name prime256v1 -out /root/new.key
openssl req -new -key /root/new.key -out /root/certrequest.csr -subj "/C=US/ST=State/L=City/O=Company Name/OU=Organizational Unit/CN=hostname.example.com/emailAddress=admin@example.com"

Send certrequest.csr to your CA and request an X.509 SSL/TLS certificate (RSA or EC, typically a single-domain or wildcard certificate). Copy the received certificate to /root/newcert.crt on your server. If your CA provides an intermediate certificate, save it as /root/intermediate_cert.crt.

Step 2: Install certificate

Backup existing certificate:

cp /etc/voipnow/certs/http.pem /etc/voipnow/certs/http.pem.backup

Install certificate for HTTP service:

# Without intermediate certificate
cat /root/new.key /root/newcert.crt > /etc/voipnow/certs/http.pem
chmod 400 /etc/voipnow/certs/http.pem
chown voipnow:voipnow /etc/voipnow/certs/http.pem

# With intermediate certificate
cat /root/new.key /root/newcert.crt /root/intermediate_cert.crt > /etc/voipnow/certs/http.pem
chmod 400 /etc/voipnow/certs/http.pem
chown voipnow:voipnow /etc/voipnow/certs/http.pem

Optional: Install certificate for SIP service (Kamailio):

# Without intermediate certificate
cat /root/new.key /root/newcert.crt > /etc/voipnow/certs/kamailio.pem
chmod 400 /etc/voipnow/certs/kamailio.pem
chown kamailio:kamailio /etc/voipnow/certs/kamailio.pem

# With intermediate certificate
cat /root/new.key /root/newcert.crt /root/intermediate_cert.crt > /etc/voipnow/certs/kamailio.pem
chmod 400 /etc/voipnow/certs/kamailio.pem
chown kamailio:kamailio /etc/voipnow/certs/kamailio.pem

Optional: Install certificate for PBX service (Asterisk):

# Without intermediate certificate
cat /root/new.key /root/newcert.crt > /etc/voipnow/certs/pbx.pem
chmod 400 /etc/voipnow/certs/pbx.pem
chown asterisk:asterisk /etc/voipnow/certs/pbx.pem

# With intermediate certificate
cat /root/new.key /root/newcert.crt /root/intermediate_cert.crt > /etc/voipnow/certs/pbx.pem
chmod 400 /etc/voipnow/certs/pbx.pem
chown asterisk:asterisk /etc/voipnow/certs/pbx.pem

Step 3: Restart services

Restart HTTP service:

/etc/init.d/voipnow restart

Optional: Restart SIP service (Kamailio) - interrupts active calls:

/etc/init.d/kamailio restart

Optional: Restart PBX service (Asterisk) - interrupts active calls:

/etc/init.d/asterisk restart

WARNING

Important: Restarting Kamailio or Asterisk will interrupt active calls. Only restart these services if you have updated their respective certificate files.

Verify the certificate installation using an SSL checker.