I couldn't follow what you exactly did, but you should
1. create a self-signed CA certificate
2. create private and public key for server. Make certificate signing request (CSR) from the public key. Sign this CSR with the CA certificate - this will give you the server certificate.
3. configure in Kamailio the server's public key (certificate), the server's private key and the CA certificate as CA list.
4. Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to https://domain.name.ofyour.sipproxy:5061/ This should give you a certificate warning (do NOT accept the certificate)
- close Internet Explorer
- import CA certificate into Windows certificate store
- surf with Internet Explorer again to https://domain.name.ofyour.sipproxy:5061/ This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows certificate store), twinkle (Linux) or QjSimple (let you specify the CA file manually, do not configure client certificate and private key)
regards klaus
Am 06.09.2010 20:15, schrieb peter_green lion:
Date: Mon, 6 Sep 2010 14:34:35 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio
server via tls support.
Am 06.09.2010 11:19, schrieb peter_green lion:
i have the same problem when add user-privkey.pem in SIP client, I use 3CX soft phone.
You have to import the self-signed certificate of the root CA which signed the server certificate. Maybe "cakey.pem" ?
Probably you have to read some certificate and openssl howtos to get proper backround - SIP over TLS is just like HTTPS.
regards Klaus
dear Klaus, I try to test with all file.pem in ca directory. but i get the same error. i try to verify cert file and get :
openssl verify calist.pem calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio error 18 at 0 depth lookup:self signed certificate OK
openssl verify privkey.pem unable to load certificate 2904:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl verify ser1_cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
so is this my problem ? thanks for help . Peter Green