Secure VoIP

From Taridium

THIS PAGE IS UNDER CONSTRUCTION!

Contents 1 Setting up ipbx 2 Configuring SIP/TLS 2.1 Creating a Key File and CA 2.2 Creating a Self-Signed Certificate 2.3 Installing the Certificate 3 Setting up your Device 3.1 ipbx Configuration 3.2 Device Configuration 3.2.1 Aastra 3.2.2 Counterpath Bria

Setting up ipbx

Configuring SIP/TLS

Creating a Key File and CA

$ openssl genrsa -des3 -out ca.key 4096

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Sample CA Cert

 Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:New York
 Locality Name (eg, city) [Newbury]:New York
 Organization Name (eg, company) [My Company Ltd]:Taridium
 Organizational Unit Name (eg, section) []:engineering
 Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com
 Email Address []:info@taridium.com

$ openssl genrsa -out key.pem 1024

Certificate Signing Request

$ openssl req -new -key key.pem -out req-ipbx_taridium.csr

Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:New York
 Locality Name (eg, city) [Newbury]:New York
 Organization Name (eg, company) [My Company Ltd]:Taridium
 Organizational Unit Name (eg, section) []:engineering
 Common Name (eg, your name or your server's hostname) []:pbx.taridium.com
 Email Address []:support@taridium.com
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Make sure your common name matches your server. Some phones will check for a matching name!

Creating a Self-Signed Certificate

To create the self-signed certificate, do the following:

$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert

Installing the Certificate

$ cat key.pem > asterisk.pem
$ cat cert-ipbx.cert >> asterisk.pem

$ mv asterisk.pem /etc/asterisk/
$ chown asterisk:asterisk /etc/asterisk/asterisk.pem

Setting up your Device

ipbx Configuration

Device Configuration

Aastra

Aastra phones using TLS check for the following:

• Whether the certificate hasn't expired (make sure your NTP server is configured)
• Whether the CN (common name) of the certificate matches the SIP registrar and proxy
• Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate.

1. Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
2. Configure the Trusted Certificates Filename to be ca.crt
3. In your Global SIP Settings select Advanced SIP Settings → Transport Protocol → Persistent TLS
4. Make sure your proxy and registrar ports are set to 5061

Counterpath Bria

Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's ca