Date: Tue, 7 Sep 2010 09:47:18 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
I couldn't follow what you exactly did, but you should
create a self-signed CA certificate
create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
- configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
- Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to https://domain.name.ofyour.sipproxy:5061/ This should give you a certificate warning (do NOT accept the
certificate)
close Internet Explorer
import CA certificate into Windows certificate store
surf with Internet Explorer again to https://domain.name.ofyour.sipproxy:5061/ This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows certificate store), twinkle (Linux) or QjSimple (let you specify the CA file manually, do not configure client certificate and private key)
regards klaus
Hi Klaus, i have configure as your advise :
- create a self-signed CA certificate
Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
- create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
so "ser1_cert.pem" is server certificate.
- configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
my configure is :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio/ser1_cert.pem") #server cert modparam("tls", "private_key", "/usr/local/etc/kamailio/privkey.pem") #privkey modparam("tls", "ca_list", "/usr/local/etc/kamailio/calist.pem") #ca cert modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1)
- Import the CA certificate into the TLS client (e.g. the SIP client)
i copy calist.pem to my pc, and add to ie certificate, test:
the result is :
--> start kamailio is ok. --> open ie :as you describe, add calist.pem to Windows certificate store ,but it fail.
message is : Windows cannot validate that the certificate is actually from 192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................
please help me to fix it . thank you so much. Peter Green.