Secure VoIP
From Taridium
(Difference between revisions)
(→Creating a Key File and CA) |
|||
| Line 4: | Line 4: | ||
===Creating a Key File and CA=== | ===Creating a Key File and CA=== | ||
| + | |||
| + | You can use your CA to sign your server certificate or you can use a commercial certificate. | ||
$ openssl genrsa -des3 -out ca.key 4096 | $ openssl genrsa -des3 -out ca.key 4096 | ||
| Line 9: | Line 11: | ||
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt | $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt | ||
| - | Sample CA Cert | + | '''Sample CA Cert''' |
Country Name (2 letter code) [GB]:US | Country Name (2 letter code) [GB]:US | ||
| Line 21: | Line 23: | ||
$ openssl genrsa -out key.pem 1024 | $ openssl genrsa -out key.pem 1024 | ||
| - | Certificate Signing Request | + | '''Sample Certificate Signing Request''' |
$ openssl req -new -key key.pem -out req-ipbx_taridium.csr | $ openssl req -new -key key.pem -out req-ipbx_taridium.csr | ||
Revision as of 12:25, 24 August 2010
THIS PAGE IS UNDER CONSTRUCTION!
Contents |
Configuring SIP/TLS
Creating a Key File and CA
You can use your CA to sign your server certificate or you can use a commercial certificate.
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Sample CA Cert
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com Email Address []:info@taridium.com
$ openssl genrsa -out key.pem 1024
Sample Certificate Signing Request
$ openssl req -new -key key.pem -out req-ipbx_taridium.csr
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:pbx.taridium.com Email Address []:support@taridium.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Make sure your common name matches your server. Some phones will check for a matching name!
Creating a Self-Signed Certificate
To create the self-signed certificate, do the following:
$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert
Installing the Certificate
$ cat key.pem > asterisk.pem $ cat cert-ipbx.cert >> asterisk.pem
$ mv asterisk.pem /etc/asterisk/ $ chown asterisk:asterisk /etc/asterisk/asterisk.pem
Setting up ipbx for TLS Use
Setting up your Device
ipbx Configuration
Device Configuration
Aastra
Aastra phones using TLS check for the following:
- Whether the certificate hasn't expired (make sure your NTP server is configured)
- Whether the CN (common name) of the certificate matches the SIP registrar and proxy
- Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate.
- Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
- Configure the Trusted Certificates Filename to be ca.crt
- In your Global SIP Settings select Advanced SIP Settings → Transport Protocol → Persistent TLS
- Make sure your proxy and registrar ports are set to 5061
Counterpath Bria
Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's certificate store. Use Internet Explorer for Windows or Safari for OS X and iOS (iPhone & iPad) operating systems.
