> Date: Tue, 7 Sep 2010 09:47:18 +0200
> From: klaus.mailinglists@pernau.at
> To: betergreen@live.com
> CC: sr-users@lists.sip-router.org
> Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.
>
> I couldn't follow what you exactly did, but you should
>
> 1. create a self-signed CA certificate
>
> 2. create private and public key for server. Make certificate signing
> request (CSR) from the public key. Sign this CSR with the CA certificate
> - this will give you the server certificate.
>
> 3. configure in Kamailio the server's public key (certificate), the
> server's private key and the CA certificate as CA list.
>
> 4. Import the CA certificate into the TLS client (e.g. the SIP client)
>
> You can test if the Kamailio configuration works by using a browser e.g:
>
> - surf with Internet Explorer to
> https://domain.name.ofyour.sipproxy:5061/
> This should give you a certificate warning (do NOT accept the
> certificate)
>
> - close Internet Explorer
>
> - import CA certificate into Windows certificate store
>
> - surf with Internet Explorer again to
> https://domain.name.ofyour.sipproxy:5061/
> This time there should not be any certificate warning.
>
>
> You can also try other SIP clients, e.g. eyebeam (uses Windows
> certificate store), twinkle (Linux) or QjSimple (let you specify the CA
> file manually, do not configure client certificate and private key)
>
> regards
> klaus
Hi Klaus,
i have configure as your advise :
>1. create a self-signed CA certificate
Creating CA certificate
-----------------------
1. create CA dir
mkdir ca
cd ca
2. create ca dir structure and files (see ca(1))
mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 01 >demoCA/serial
2. create CA private key
openssl genrsa -out demoCA/private/cakey.pem 2048
chmod 600 demoCA/private/cakey.pem
3. create CA self-signed certificate
openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
> 2. create private and public key for server. Make certificate signing
> request (CSR) from the public key. Sign this CSR with the CA certificate
> - this will give you the server certificate.
Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
openssl req -out ser1_cert_req.pem -new -nodes
WARNING: the organization name should be the same as in the ca certificate.
2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
so "ser1_cert.pem" is server certificate.
> 3. configure in Kamailio the server's public key (certificate), the
> server's private key and the CA certificate as CA list.
my configure is :
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate", "/usr/local/etc/kamailio/ser1_cert.pem") #server cert
modparam("tls", "private_key", "/usr/local/etc/kamailio/privkey.pem") #privkey
modparam("tls", "ca_list", "/usr/local/etc/kamailio/calist.pem") #ca cert
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
> 4. Import the CA certificate into the TLS client (e.g. the SIP client)
i copy calist.pem to my pc, and add to ie certificate, test:
the result is :
--> start kamailio is ok.
--> open ie :as you describe, add calist.pem to Windows certificate store ,but it fail.
message is : Windows cannot validate that the certificate is actually from 192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................
please help me to fix it .
thank you so much.
Peter Green.