Secure VoIP
From Taridium
(Difference between revisions)
(→Aastra) |
(→Aastra) |
||
Line 69: | Line 69: | ||
* Whether the CN (common name) of the certificate matches the SIP registrar and proxy | * Whether the CN (common name) of the certificate matches the SIP registrar and proxy | ||
* Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate. | * Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate. | ||
+ | |||
# Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/ | # Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/ |
Revision as of 12:21, 24 August 2010
THIS PAGE IS UNDER CONSTRUCTION!
Contents |
Setting up ipbx
Configuring SIP/TLS
Creating a Key File and CA
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Sample CA Cert
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com Email Address []:info@taridium.com
$ openssl genrsa -out key.pem 1024
Certificate Signing Request
$ openssl req -new -key key.pem -out req-ipbx_taridium.csr
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:pbx.taridium.com Email Address []:support@taridium.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Make sure your common name matches your server. Some phones will check for a matching name!
Creating a Self-Signed Certificate
To create the self-signed certificate, do the following:
$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert
Installing the Certificate
$ cat key.pem > asterisk.pem $ cat cert-ipbx.cert >> asterisk.pem
$ mv asterisk.pem /etc/asterisk/ $ chown asterisk:asterisk /etc/asterisk/asterisk.pem
Setting up your Device
ipbx Configuration
Device Configuration
Aastra
Aastra phones using TLS check for the following:
- Whether the certificate hasn't expired (make sure your NTP server is configured)
- Whether the CN (common name) of the certificate matches the SIP registrar and proxy
- Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate.
- Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
- Configure the Trusted Certificates Filename to be ca.crt
- In your Global SIP Settings select Advanced SIP Settings → Transport Protocol → Persistent TLS
- Make sure your proxy and registrar ports are set to 5061
Counterpath Bria
Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's ca