[asterisk-dev] [Code Review] Add a contrib script for generating certs for TLS stuff
Terry Wilson
twilson at digium.com
Fri Oct 22 16:32:19 CDT 2010
> Do those two commands include everything that needs to be done?
As far as generating the initial CA and server and client certs, yes. With the -d option, you specify an output directory which could be /etc/asterisk/certs or keys or whatever.
> Are those scripts intended for testing only?
Ideally, people would use it mostly for testing. It is certainly possible to use self-signed certificates responsibly in production, but it does take some understanding of how everything works. As part of the usage info (-h), I tell people that it would be better to get a cert from a CA and have an understanding of how SSL works.
For one thing, I cannot get Eyebeam for Mac to work with a self-signed certificate even if I add the CA to the Keychain, etc. There may be other devices that don't work with self-signed certs.
>>
>> The first run would create the CA certs since the -c option wasn't passed and
>> also asterisk.pem which would be copied to /etc/asterisk (or wherever) and
>> used as the tlscertfile in sip.conf. The ca.crt can also be copied over and
>> used as the tlscafile.
>
> A CA is generally once per network, right?
Correct.
>>
>> The second run would create a client certificate using the previously created
>> CA cert and write out joe_user.pem. I then copied ca.rt and joe_user.pem and
>> configured Blink to use them and to verify the server.
>
> What about permissions of files?
That's a good point. I should probably call `umask 337` at the top of the script to make it read only for owner.
More information about the asterisk-dev
mailing list