[asterisk-dev] [Code Review] Add a contrib script for generating certs for TLS stuff

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Oct 22 06:03:06 CDT 2010 

On Thu, Oct 21, 2010 at 08:30:04PM -0000, Terry Wilson wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/979/
> -----------------------------------------------------------
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> After suffering through yet another fun day of setting up TLS certs for 
> asterisk, I figured I'd knock out a quick script so I don't ever have to
> do it again.
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/contrib/scripts/ast_tls_cert PRE-CREATION 
> 
> Diff: https://reviewboard.asterisk.org/r/979/diff
> 
> 
> Testing
> -------
> 
> I've generated a CA, client, and server cert, installed the client and CA
> certs on the Blink softphone, and set the server and CA certs in sip.conf.
> Everything works.
> 
> Example:
> ./ast_tls_cert -C pbx.mycompany.com -O "My Company"
> ./ast_tls_cert -m client -C "Joe User" -O "My Company" -c ca.crt -k ca.key -o joe_user

Do those two commands include everything that needs to be done?

Are those scripts intended for testing only?

> 
> The first run would create the CA certs since the -c option wasn't passed and
> also asterisk.pem which would be copied to /etc/asterisk (or wherever) and
> used as the tlscertfile in sip.conf. The ca.crt can also be copied over and
> used as the tlscafile.

A CA is generally once per network, right?

> 
> The second run would create a client certificate using the previously created
> CA cert and write out joe_user.pem. I then copied ca.rt and joe_user.pem and
> configured Blink to use them and to verify the server.

What about permissions of files?

Another comment: one of the Debian packages (I don't recall exactly
which) labels the CA it creates "Snake Oil", to avoid the confusion.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list