localhost Certificate

Christian Stredicke
CEO of Vodia Networks

Two days ago something weird happend. My browser refused to render content from my own PBX.

At first I though that Google had made another change in their browser security policy, not allowing the secure content to show up in the browser. But it was something else: Our default Vodia certificate for "localhost" had expired.

It wasn't immediately clear how serious this was. Many PBX installations that I know are using that certificate. Most phones don't validate the domain name, and even more most phones don't validate the date either. This makes sense because many phones live in the year 1970 when they boot up and can't validate the date anyway; and relying on the insecure NTP protocol to get the current time is also not very secure.

Anyway, this was the call to update the localhost default key and certificate. And while we are on it, we also upgraded the Vodia Root CA to use SHA-2 instead of the depreciated SHA-1 algorithm that many browsers today see as a security problem. The new localhost pair also uses SHA-2. All certificates and the new key can be found on https://vodia.com/doc/admin_certs at the bottom there are they instructions to update the localhost keys, if you have to.

Customers that are still running older version than 5.2.6 must upgrade their system to be able to use the new certificate, as it comes with the SHA2 hash algorithm.

After I have imported the new Vodia Root CA into the list of trusted CA, now my browser happily displays the green lock for my local system. The certificate is valid until 2019. I have made a calendar entry for the next year to issue a newer certificate, so that we don't experience the same problem again too soon.