Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » New Kerio Operator Softphone vs self-signed certificates
Vladimir Toncar (Kerio) is currently offline Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39

As we are preparing the release of Kerio Operator Softphone 3.6.2, there's one piece of information I want to share.

Starting with version 3.6.2, it won't be possible to disable the TLS certificate check in the softphone. I know some of you were using this option to test the softphone against a Kerio Operator server with a self-signed certificate before deciding to buy a proper signed server certificate. Maybe some of you are using the self-signed certificate even in production.

So, if you want to use version 3.6.2 of the softphone and you still use a self-signed certificate, you need to do either of the following:

1. Buy a certificate (see the KB article here) from you preferred certificate authority. This is the simpler solution.

2. Fetch the self-signed certificate from your Operator server and install it on your iPhone or Android phone. You can fetch the server certificate from https://operator_ip/server.cer or http://operator_ip/server.cer (Use the plain HTTP on Android if your browser refuses to download over HTTPS while it's still using the untrusted self-signed certificate). If you run the softphone on Android, the self-signed certificate must be created for the fully qualified domain name of your Operator server.

We plan to publish the Android edition of the new softphone next week (it's much needed because of the Android 6 compatibility). The iOS edition will come a week or two later.

Please feel free to ask if you need to clarify anything.

Vladimir Toncar (Kerio) is currently offline Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
One addition: If you are about to get a commercial certificate, do not use a wildcard cert. Counterpath, our supplier of the softphone, is already following RFC5922 even though it's still just a proposed standard.
fishtech is currently offline fishtech

Messages: 634
Karma: 14
Thanks for the advanced notice to allow early troubleshooting.

I bought and installed an SSL cert from GoDaddy.

If I visit https://operator_ip/ from Safari or Firefox on my desktop the GoDaddy certificate shows as "trusted".

When I visit https://operator_ip/server.cer or http://operator_ip/server.cer and try to install the Certificate on my iPhone I get the following error:

"The authenticity of "" cannot be verified."

I can install the profile but it shows "Not Verified".

When I try to login with Operator app, I get aregistraton error, "Certificate validation failure (503)".

Why is the certificate trusted on desktop but not iPhone?


Brian (GFI/Kerio) is currently offline Brian (GFI/Kerio)

Messages: 806
Karma: 84
Use this online tool to test that you've installed the certificate properly
If so, then you don't need to install the certificate onto the phone. If the online tool returns an error, it's probably related to the intermediate certificates. This article provides details for installing the intermediate certificates ion-kerio-operator/configuring-ssl-certificates-817.html

Brian Carmichael
Instructional Content Architect
fishtech is currently offline fishtech

Messages: 634
Karma: 14
Thanks. I ran the online test, and you were absolutely correct... all checks were good except for the intermediate certificates check.

I now have it working without having to download the certificate to my phone.

Since I found GoDaddy's instructions on intermediate certificates to be unlcear, for anyone new to this process just copy the contents of gd_bundle-XYZ.crt and paste at the end of NxNNNxx..crt file to create the intermediate certificate.

For anyone else who made the same mistake first time, here are the steps I took to fix it:

1. In Operator, export the key of the original, bad, GoDaddy certificate created in Operator.

2. Delete that original, bad GoDaddy certificate.

3. Go to the GoDaddy download folder.

4. Copy the contents of gd_bundle-XYZ.crt and paste at the end of NxNNNxx..crt file.

5. Save.

6. "Import a new Certificate" in Operator, and choose the Key from Step 1 and the NxNNNxx..crt from step 4.

7. Make the new certificate active.

Hope that helps someone. You can probably tell certificates & security are somehwhat of a black art to me.

Previous Topic: Asterisk: SIP retransmission timeout
Next Topic: ANNOUNCEMENT: Introducing Rack Mount Kits for Kerio Appliances
Goto Forum:

 ] [ PDF ]

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Jan 21 21:41:52 CET 2018

Total time taken to generate the page: 1.61312 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.