[asterisk-users] CA Issued Certificates / TLS + SRTP

Daniel Pocock daniel at readytechnology.co.uk
Mon Jan 30 15:54:02 CST 2012



On 30/01/12 17:12, Stuart Elvish wrote:
> Hi all,
> 
> Firstly, apologies if the answer to this question should be obvious.
> 
> I have just started working with SRTP and had a self-signed
> certificate working perfectly. I have now purchased a CA signed
> certificate but can't get it to work properly with Asterisk. I think I
> have a configuration error.

No, you've found a bug - I just posted an update about this issue
yesterday, predicting people would get stuck on this issue:

http://lists.digium.com/pipermail/asterisk-users/2012-January/269856.html


> The certificate is a GeoTrust Rapid SSL certificate. I have received
> the my server specific crt file and also an intermediate certificate.

Intermediate certificates work for some user agents (e.g. my Polycom).
There has been speculation that they won't work with some older UAs

Ultimately, most of the budget priced certificates are signed with an
intermediate cert, and OpenSSL supports it, so there is no reason
Asterisk shouldn't support this.

> I am not sure of the following and would greatly appreciate if someone
> could give me some guidance:
> * Can I specify the intermediate and .crt files separately in the
> sip.conf file? (I am thinking of a process similar to Apache where you
> specify three different files; server specific certificate, chain file
> and key file.)

No, for OpenSSL-based code (such as Asterisk), it works like this:

http://lists.sip-router.org/pipermail/sr-users/2012-January/071771.html

However, Asterisk needs to be patched first, as in bug 17727

> * Should the intermediate and server specific certificates be combined
> into one certificate file?

Yes, in the correct order

Currently, Asterisk expects the key and cert together in the same file:
I think that is bad, but that is the way it is:

https://issues.asterisk.org/jira/browse/ASTERISK-19267

> * And, is it necessary to use both my server specific certificate and
> the intermediate certificate on the telephones or will the telephones
> only require the server specific certificate?

The phones should already have the root certificate for Geotrust, you
should not deploy intermediate roots into the phones if you can avoid it



More information about the asterisk-users mailing list