Hi all, Firstly, apologies if the answer to this question should be obvious. I have just started working with SRTP and had a self-signed certificate working perfectly. I have now purchased a CA signed certificate but can't get it to work properly with Asterisk. I think I have a configuration error. The certificate is a GeoTrust Rapid SSL certificate. I have received the my server specific crt file and also an intermediate certificate. I am not sure of the following and would greatly appreciate if someone could give me some guidance: * Can I specify the intermediate and .crt files separately in the sip.conf file? (I am thinking of a process similar to Apache where you specify three different files; server specific certificate, chain file and key file.) * Should the intermediate and server specific certificates be combined into one certificate file? * And, is it necessary to use both my server specific certificate and the intermediate certificate on the telephones or will the telephones only require the server specific certificate? My test phone is a Yealink T28P. Many thanks. Stuart
On 30/01/12 17:12, Stuart Elvish wrote:> Hi all, > > Firstly, apologies if the answer to this question should be obvious. > > I have just started working with SRTP and had a self-signed > certificate working perfectly. I have now purchased a CA signed > certificate but can't get it to work properly with Asterisk. I think I > have a configuration error.No, you've found a bug - I just posted an update about this issue yesterday, predicting people would get stuck on this issue: http://lists.digium.com/pipermail/asterisk-users/2012-January/269856.html> The certificate is a GeoTrust Rapid SSL certificate. I have received > the my server specific crt file and also an intermediate certificate.Intermediate certificates work for some user agents (e.g. my Polycom). There has been speculation that they won't work with some older UAs Ultimately, most of the budget priced certificates are signed with an intermediate cert, and OpenSSL supports it, so there is no reason Asterisk shouldn't support this.> I am not sure of the following and would greatly appreciate if someone > could give me some guidance: > * Can I specify the intermediate and .crt files separately in the > sip.conf file? (I am thinking of a process similar to Apache where you > specify three different files; server specific certificate, chain file > and key file.)No, for OpenSSL-based code (such as Asterisk), it works like this: http://lists.sip-router.org/pipermail/sr-users/2012-January/071771.html However, Asterisk needs to be patched first, as in bug 17727> * Should the intermediate and server specific certificates be combined > into one certificate file?Yes, in the correct order Currently, Asterisk expects the key and cert together in the same file: I think that is bad, but that is the way it is: https://issues.asterisk.org/jira/browse/ASTERISK-19267> * And, is it necessary to use both my server specific certificate and > the intermediate certificate on the telephones or will the telephones > only require the server specific certificate?The phones should already have the root certificate for Geotrust, you should not deploy intermediate roots into the phones if you can avoid it
>>>>> * And, is it necessary to use both my server specific certificate and >>>>> the intermediate certificate on the telephones or will the telephones >>>>> only require the server specific certificate? >>>> The phones should already have the root certificate for Geotrust, you >>>> should not deploy intermediate roots into the phones if you can >>>> avoid it >>> If I understand this correctly (and the other emails you sent), the >>> Polycom does not need any preloaded certificates / keys, it will ask the >>> CA and then evaluate the certificate provided by Asterisk during TLS >>> setup; is that correct? Makes it much easier. (Unfortunately my Polycom >>> is a bit old so I will have to see if I can upgrade it.)By `preloaded', I mean you should not have to load any certificates or key pairs manually into the phones The phones should have the default CA certs that come in the firmware Most recent Polycom phones also have a client certificate and private key built in. This allows you to secure the provisioning process. Some of the older Polycoms went end-of-life, some don't have client certs built in, so you'll have to research all that carefully on their support site. E.g. the IP 300, IP 430 and IP 500 are too old for proper TLS, while the IP321, IP 450 and IP550 are good