Web Server Lets Encrypt CA

Manage Third-Party Certificates from Let's Encrypt

Let’s Encrypt is a free, automated, and open Certificate Authority (CA). It enables you to obtain a valid web server certificate simply by providing your domain settings and then clicking a button. The acquired certificate is uploaded, installed, monitored and renewed automatically. You do not need to generate a certificate signing request (CSR) or go through the manual process of installing the certificate. These steps are handled by the CA and the local MSL server, and are invisible to you.

Note:
  • To use this service, the MSL server must be accessible to the Internet, either directly or through a proxy.
  • The service is currently not supported on servers under the following deployment configurations:
    • Any server behind a MiVoice Border Gateway Web Proxy version earlier than v9.4.
    • MiCollab with AWV in server-only (LAN) mode behind a MiVoice Border Gateway in server-gateway mode on the network edge with 2nd WAN IP address configured on the MBG Web Proxy for MiCollab Audio, Web and Video Conferencing if the MBG Web proxy version is earlier than v9.4.0.25.
  • The service is supported on any MSL system that meets the following criteria:
    • Each FQDN configured in the certificate request must be resolvable from the external Let's Encrypt server.
    • An https request to each resolved FQDN above with a URL of the form https://FQDN/.well-known/acme-challenge/CHALLENGE_TOKEN must reach and be responded to by the server on which the Let's Encrypt certificate request has been made.
  • When you request an SSL certificate from the Let's Encrypt service, you must provide a Common Name and, optionally, Subject Alternative Names as fully qualified domain names (FQDNs) that are resolvable to addresses on the public network. When the Let's Encrypt servers issue an HTTP request to a resolved FQDN (such as https://mbg.mitel.com/.well-known/acme-challenge/random_file_name), this request must be able to reach the MSL server on port 80 on which the certificate request is being made. Accordingly, the MSL server must be accessible to the Internet, either directly or through a proxy.

Programming Steps

To implement a Let's Encrypt SSL certificate, complete the following procedures:

  1. Request a Let's Encrypt SSL Certificate
  2. Modify a Let's Encrypt SSL Certificate (required only if you wish to update your credentials)
  3. Uninstall a Let's Encrypt SSL Certificate(required only if you wish to resume using the default self-signed certificate)
  4. Verify the Installed Let's Encrypt SSL Certificate

Request a Let's Encrypt SSL Certificate

To request a Let's Encrypt SSL certificate:

  1. Log into the MSL Server Manager.
  2. Under Security, click Web Server.
  3. Click the Web Server Certificate tab.
  4. Click Get Certificate.
  5. Enter the information required to request the SSL certificate from the Let's Encrypt system:

    Field Name

    Description

    Status

    Indicates the status of the certificate, either enabled (successfully installed and active) or disabled (not successfully installed and inactive)

    Contact E-Mail

    Enter the email address of the administrator who Let's Encrypt should contact to deal with issues of certificate recovery or registration.

    Common Name

    Enter the common name to which you plan to apply your certificate. A web browser checks this field. It is required.

    The common name must be entered as a fully-qualified domain name (FQDN) that is publicly resolvable. Do not enter a domain name with a wild card character (e.g. *.example.com) because Let's Encrypt does not support wild card certificate requests.

    Alternate Name(s)

    Enter the domain name for each service (or "virtual host") in the LAN that you want to include in this certificate. For example, if your deployment includes a number of MSL application servers on the LAN, you would enter the FQDN of each server such as micollab.mitel.com, mivb.mitel.com, and micollabclient.mitel.com. If these addresses are not configured correctly, remote client access to the LAN-based services will be denied. The FQDNs must be publicly resolvable.

  6. Click Get Certificate. The Let's Encrypt system generates the certificate and returns it to the MSL system for automatic installation. If there are any problems with the certificate request or installation, an error message is displayed. If there are no problems, the Status field displays "enabled," indicating that the certificate has been successfully installed and is now active.

Modify a Let's Encrypt SSL Certificate

To modify a Let's Encrypt SSL certificate request:

  1. Log into the MSL Server Manager.
  2. Under Security, click Web Server.
  3. Click the Web Server Certificate tab.
  4. Click Modify Request.
  5. Update the field values as required in order to modify your certificate signing request (CSR).
  6. Click Get Certificate. The Let's Encrypt system generates the SSL certificate and returns it to the MSL system for automatic installation. If there are any problems with the certificate request or installation, an error message is displayed. If there are no problems, the Status field displays “enabled,” indicating that the certificate has been successfully installed and is now active.

Uninstall a Let's Encrypt SSL Certificate

To uninstall a Let's Encrypt SSL certificate and resume using the self-signed certificate:

  1. Log into the MSL Server Manager.
  2. Under Security, click Web Server.
  3. Click the Web Server Certificate tab.
  4. Click Remove Certificate. The MSL system uninstalls the Let's Encrypt SSL certificate and returns to using the default self-signed certificate.

Verify the Installed Let's Encrypt SSL Certificate

To view details regarding currently installed web server certificate:

  1. Log into the MSL Server Manager.
  2. Under Security, click Web Server.
  3. Click the Web Server Certificate tab.
  4. View details at the top of the page:

    Field Name

    Details

    Issuer

    Lists the following information for the certificate authorization company that issued the certificate:

    C: country code

    ST: state or province

    L: locality name (for example: city name)

    O: name of the certificate authorization authority

    OU: name of the organizational unit

    CN: server hostname

    Authority/emailAddress: email address of the Certificate Authority

    Certificate Name

    The Common Name that identifies the fully qualified domain name associated with the certificate.

    Alternate Name(s)

    The FQDNs of each service (or "virtual host") included in the certificate.

    Valid From

    Date and time when the certificate takes effect.

    Expires

    Date and time when the certificate expires.

    NOTE: Events are raised prior to, and on the date of expiry of the certificate. Ensure to regularly check the event viewer or configure email alerts. Certificate already expired: MAJOR Expires in less than 1 week: MINOR Expires in less than 3 weeks: WARNING