Secure VoIP

From Taridium

Revision as of 12:14, 24 August 2010 (view source) Webmaster (Talk | contribs) (→Aastra) ← Older edit		Revision as of 12:17, 24 August 2010 (view source) Webmaster (Talk | contribs) (→Aastra) Newer edit →
Line 66:		Line 66:
	# Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/		# Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
	# Configure the '''Trusted Certificates Filename''' to be ca.crt		# Configure the '''Trusted Certificates Filename''' to be ca.crt
		+	# In your Global SIP Settings select '''Advanced SIP Settings''' -> '''Transport Protocol''' ->  '''Persistent TLS'''
		+	# Make sure your proxy and registrar ports are set to 5061
	==== Counterpath Bria ====		==== Counterpath Bria ====
	Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's ca		Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's ca

---

Revision as of 12:17, 24 August 2010

THIS PAGE IS UNDER CONSTRUCTION!

Contents 1 Setting up ipbx 2 Configuring SIP/TLS 2.1 Creating a Key File and CA 2.2 Creating a Self-Signed Certificate 2.3 Installing the Certificate 3 Setting up your Device 3.1 ipbx Configuration 3.2 Device Configuration 3.2.1 Aastra 3.2.2 Counterpath Bria

Setting up ipbx

Configuring SIP/TLS

Creating a Key File and CA

$ openssl genrsa -des3 -out ca.key 4096

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Sample CA Cert

 Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:New York
 Locality Name (eg, city) [Newbury]:New York
 Organization Name (eg, company) [My Company Ltd]:Taridium
 Organizational Unit Name (eg, section) []:engineering
 Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com
 Email Address []:info@taridium.com

$ openssl genrsa -out key.pem 1024

Certificate Signing Request

$ openssl req -new -key key.pem -out req-ipbx_taridium.csr

Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:New York
 Locality Name (eg, city) [Newbury]:New York
 Organization Name (eg, company) [My Company Ltd]:Taridium
 Organizational Unit Name (eg, section) []:engineering
 Common Name (eg, your name or your server's hostname) []:pbx.taridium.com
 Email Address []:support@taridium.com
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Make sure your common name matches your server. Some phones will check for a matching name!

Creating a Self-Signed Certificate

To create the self-signed certificate, do the following:

$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert

Installing the Certificate

$ cat key.pem > asterisk.pem
$ cat cert-ipbx.cert >> asterisk.pem

$ mv asterisk.pem /etc/asterisk/
$ chown asterisk:asterisk /etc/asterisk/asterisk.pem

Setting up your Device

ipbx Configuration

Device Configuration

Aastra

1. Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
2. Configure the Trusted Certificates Filename to be ca.crt
3. In your Global SIP Settings select Advanced SIP Settings -> Transport Protocol -> Persistent TLS
4. Make sure your proxy and registrar ports are set to 5061

Counterpath Bria

Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's ca