[asterisk-dev] [Code Review] Add a contrib script for generating certs for TLS stuff

[Terry Wilson]

> Do those two commands include everything that needs to be done?

As far as generating the initial CA and server and client certs, yes. With the -d option, you specify an output directory which could be /etc/asterisk/certs or keys or whatever.

> Are those scripts intended for testing only?

Ideally, people would use it mostly for testing. It is certainly possible to use self-signed certificates responsibly in production, but it does take some understanding of how everything works. As part of the usage info (-h), I tell people that it would be better to get a cert from a CA and have an understanding of how SSL works.

For one thing, I cannot get Eyebeam for Mac to work with a self-signed certificate even if I add the CA to the Keychain, etc. There may be other devices that don't work with self-signed certs.

>> 
>> The first run would create the CA certs since the -c option wasn't passed and
>> also asterisk.pem which would be copied to /etc/asterisk (or wherever) and
>> used as the tlscertfile in sip.conf. The ca.crt can also be copied over and
>> used as the tlscafile.
> 
> A CA is generally once per network, right?

Correct.

>> 
>> The second run would create a client certificate using the previously created
>> CA cert and write out joe_user.pem. I then copied ca.rt and joe_user.pem and
>> configured Blink to use them and to verify the server.
> 
> What about permissions of files?

That's a good point. I should probably call `umask 337` at the top of the script to make it read only for owner.