Date: Tue, 7 Sep 2010 09:47:18 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls
support.
I couldn't follow what you exactly did, but you should
1. create a self-signed CA certificate
2. create private and public key for server. Make certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
3. configure in Kamailio the server's public key (certificate), the
server's private key and the CA certificate as CA list.
4. Import the CA certificate into the TLS client (e.g. the SIP client)
You can test if the Kamailio configuration works by using a browser e.g:
- surf with Internet Explorer to
https://domain.name.ofyour.sipproxy:5061/
This should give you a certificate warning (do NOT accept the
certificate)
- close Internet Explorer
- import CA certificate into Windows certificate store
- surf with Internet Explorer again to
https://domain.name.ofyour.sipproxy:5061/
This time there should not be any certificate warning.
You can also try other SIP clients, e.g. eyebeam (uses Windows
certificate store), twinkle (Linux) or QjSimple (let you specify the CA
file manually, do not configure client certificate and private key)
regards
klaus
Hi Klaus,
i have configure as your advise :
1. create a self-signed CA certificate
Creating
CA certificate
-----------------------
1. create CA dir
mkdir ca
cd ca
2. create ca dir structure and files (see ca(1))
mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 01 >demoCA/serial
2. create CA private key
openssl genrsa -out demoCA/private/cakey.pem 2048
chmod 600 demoCA/private/cakey.pem
3. create CA self-signed certificate
openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
2. create private and public key for server. Make
certificate signing
request (CSR) from the public key. Sign this CSR with the CA certificate
- this will give you the server certificate.
Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
openssl req -out ser1_cert_req.pem -new -nodes
WARNING: the organization name should be the same as in the ca certificate.
2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
so "ser1_cert.pem" is server certificate.
3. configure in Kamailio the server's public key
(certificate), the
server's private key and the CA certificate as CA list.
my configure is :
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "certificate",
"/usr/local/etc/kamailio/ser1_cert.pem") #server cert
modparam("tls", "private_key",
"/usr/local/etc/kamailio/privkey.pem") #privkey
modparam("tls", "ca_list",
"/usr/local/etc/kamailio/calist.pem") #ca cert
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
4. Import the CA certificate into the TLS client (e.g.
the SIP client)
i copy calist.pem to my pc, and add to ie certificate, test:
the result is :
--> start kamailio is ok.
--> open ie :as you describe, add calist.pem to Windows certificate store ,but it
fail.
message is : Windows cannot validate that the certificate is actually from
192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................
please help me to fix it .
thank you so much.
Peter Green.