[asterisk-users] CA Issued Certificates / TLS + SRTP

Stuart Elvish stuart.elvish at gmail.com
Tue Jan 31 07:29:07 CST 2012


Hi Daniel,
Thank you very much for your responses! At least I only wasted 5 hours
on the chained certificate issue.
I have some responses / questions below.

>> The certificate is a GeoTrust Rapid SSL certificate. I have received
>> the my server specific crt file and also an intermediate certificate.
>
> Intermediate certificates work for some user agents (e.g. my Polycom).
> There has been speculation that they won't work with some older UAs
>
> Ultimately, most of the budget priced certificates are signed with an
> intermediate cert, and OpenSSL supports it, so there is no reason
> Asterisk shouldn't support this.
>
You asked a question as to what people have experience with. When I
googled, the only response I found was this one which said Comodo
didn't work with Microsoft:
http://pbxinaflash.com/forum/showthread.php?t=11001

I quickly did a search using SSL shopper when I wanted to purchase a
"real" certificate and they said all 8 certificates they had on record
for a single domain were chained. I think this is a new requirement of
256 bit encryption so as you pointed out (and if I read the Rapid SSL
page properly), we aren't going to get away from it.


> Yes, in the correct order
>
> Currently, Asterisk expects the key and cert together in the same file:
> I think that is bad, but that is the way it is:
>
> https://issues.asterisk.org/jira/browse/ASTERISK-19267
I will give this a shot later on tonight...

>> * And, is it necessary to use both my server specific certificate and
>> the intermediate certificate on the telephones or will the telephones
>> only require the server specific certificate?
>
> The phones should already have the root certificate for Geotrust, you
> should not deploy intermediate roots into the phones if you can avoid it
If I understand this correctly (and the other emails you sent), the
Polycom does not need any preloaded certificates / keys, it will ask
the CA and then evaluate the certificate provided by Asterisk during
TLS setup; is that correct?

Kind Regards
Stuart



More information about the asterisk-users mailing list