[Users] TLS - certificate infrastructure
Alexander Ph. Lintenhofer
lintenhofer at aon.at
Wed Oct 5 22:10:15 CEST 2005
Hi everybody,
I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
to install two proxies, sip.atlanta.com and sip.biloxi.com. Two users,
alice at atlanta.com and sip.biloxi.com, should communicate over the two
proxies secured by TLS. The UAs are snom360 phones.
------------------- -----------------
----------------- -----------------
| alice at atlanta.com | <-------> | sip.atlanta.com | <-------> |
sip.biloxi.com | <-------> | bob at biloxi.com |
------------------- -----------------
----------------- -----------------
Mutual authentication should take place between the UAC and the outbound
proxy, the two proxies and between the inbound proxy and the UAS.
The problem is that I am not sure about the organisation of the
certificate's infrastructure. I don't know which would be the best
solution to implement.
So please look at my suggestions and feel free to you make your comments.
1.. user certificate for alice at atlanta.com
2.. server certificate for sip.atlanta.com
3.. server certificate for sip.biloxi.com
4.. user certificate for bob.biloxi.com
The root certificate is self signed (Does this work with openser?)
a.) One common CA (=root) signs all components.
-----------
| CA |
-----------
/ / \ \
/ / \ \
/ | | \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual import of the other domains root certificate takes place.
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
c.) One common root signs two CAs which sign their proxy and UA.
-----------
| root-cert |
-----------
/ \
/ \
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
Thank you very much for your help!
regards,
Philipp
More information about the sr-users
mailing list