help • 6 Swyx Connectivity Setup Tool • Use TLS certificate from Let's Encrypt
6.1 Use TLS certificate from Let's Encrypt
If your SwyxWare is licensed online, you have the possibility to get a unique server name (FQDN) from the SwyxON DNS service. SCST requests for this FQDN a TLS server certificate from the Let's Encrypt service and installs it in SwyxWare.
See also Let's Encrypt/how-it-works
SCST handles the communication to the SwyxON DNS service and Let's Encrypt service and completes the certification in a few steps.
The TLS certificate is automatically updated by SCST before the expiration date. For this purpose, a scheduled process is registered in Windows that regularly checks in the background whether the TLS certificate is about to expire.
FQDN validation
In order for SCST to request the TLS certificate from Let's Encrypt and update it regularly, the following requirements must be met:
*The SwyxServer machine must have a working DNS configuration, i.e. DNS queries for the FQDN and all its domains must succeed. If the DNS configured in Windows does not work, SCST tries to reach the following DNS servers: 8.8.8.8, 1.1.1.1, 8.8.4.4.
*The SwyxServer machine and your local network must allow outgoing connections via HTTPS. Connections to Let's Encrypt, registration with SwyxON DNS and Swyx online licensing each require the HTTPS protocol.
To use a TLS certificate from Let's Encrypt
1 Start Swyx Connectivity Setup Tool under "Start | Programs | SwyxWare | Swyx Connectivity Setup Tool".
2 Click on NEXT.
*The following page appears Server name.
3 Select the option Get name from SwyxON DNS to request a FQDN for the public IP address.
4 Click on NEXT.
*The following page appears Get name from SwyxON DNS.
5 If necessary, enter the public IP address of your network if SwyxWare has a static public IP address and you do not want to use automatic detection.
6 Click on Request.
*At Provided FQDN appears the randomly generated FQDN and the detected public IP address.
* 
Be sure to use the corresponding data in the Split DNS configuration.
 
7 Click on NEXT.
*The following page appears Automatic certificate mode.
Name
Explanation
E-mail address
Enter an email address to receive notifications from Let's Encrypt.
Request and Install
Click the button to request a TLS certificate from Let's Encrypt. If the request was successful, the certificate information will appear, see the next table.
8 Click on "Request and Install".
The request may take a few minutes.
*The TLS certificate is being installed.
*The certified SIP phones will be provisioned again.
The following information will then appear:
Name
Explanation
Certificate
Name
Certificate name is defined by Let's Encrypt and usually contains the FQDN and the creation date for information.
 
Expiration date
The date on which the validity of the certificate expires. The new certificate will be updated automatically by Let's Encrypt, you will receive a notification by e-mail.
Certificate installation state
Installed
Status of the certificate installation in the SwyxWare services.
9 Click on NEXT.
*The following page appears RemoteConnector access.
Name
Explanation
Enable Remote access
Enable this option if client connections via Internet to SwyxServer should be allowed.
Authentication server (FQDN)
The public endpoint (as FQDN) of the company network, via which the authentication service can be reached, is assigned automatically.
The default port for the authentication service is 9101.
If you use a different standard port and not 9101, it has to be explicitly stated in the Client settings.
RemoteConnector server (FQDN)
The public endpoint (as FQDN) of the company network, via which the RemoteConnector can be reached, is automatically assigned.
The default port for the RemoteConnector is 16203.
10 Click on NEXT.
*The following page appears RemoteConnector certificate.
Name
Explanation
Automatic password management
Enable this option if you want the root certificate password to be generated automatically.
Generate client certificates
Enable this option if you want a RemoteConnector client certificate to be automatically generated for each user.
Manual password management
Enable this option if you want to assign the password for the root certificate yourself.
In this case SwyxWare cannot automatically generate client certificates. You must do this for each user individually, entering the password assigned here in each case, see 11.2.1.3 The "RemoteConnector" Tab
Password Authentication
Enter a password if necessary.
Generate certificates
Click the button to have the root and server certificates generated.
The corresponding certificate thumbprints then appear.
11 Click on NEXT.
*The following page appears Summary with the overview of your configuration.
Name
Explanation
Server configuration
Public IP address
This IP address has been determined by the SwyxON DNS service as the public IP address of your network.
Server name
This FQDN was randomly generated by the SwyxON DNS service and assigned to the public IP address. Clients must use this server name to communicate with the SwyxServer.
TLS configuration
TLS certificate mode
Automatic: TLS certificate is provided by Let's Encrypt.
TLS certificate valid until
The date on which the validity of the certificate expires. The certificate is automatically updated by SCST. You will receive a notification from Let's Encrypt via email.
TLS certificate name
Certificate name is defined by Let's Encrypt and usually contains the FQDN and the creation date for information.
Certificate installation state
Installed
Status of the certificate installation in the SwyxWare services.
RemoteConnector configuration
RemoteConnector access
Enabled: Client connection via Internet to SwyxServer is allowed.
Autom. password management
Enabled: The password for the RemoteConnector root certificate was automatically generated and is used by SwyxWare.
or
Manual password management
Enabled: The password for the RemoteConnector root certificate has been set by the administrator and must be entered each time when generating a RemoteConnector client certificate.
Generate client certificates
Enabled: Client certificates for all users are generated automatically.
or
Deactivated: The administrator must have a client certificate generated for each desired user.
12 Click on EXIT to close SCST.
* 
If necessary, resend a welcome email to the corresponding SwyxWare users with the new RemoteConnector credentials.