[SR-Users] please help to register sip phone to kamailio server via tls support.

Klaus Darilion klaus.mailinglists at pernau.at
Tue Sep 7 09:47:18 CEST 2010 

I couldn't follow what you exactly did, but you should

1. create a self-signed CA certificate

2. create private and public key for server. Make certificate signing 
request (CSR) from the public key. Sign this CSR with the CA certificate 
- this will give you the server certificate.

3. configure in Kamailio the server's public key (certificate), the 
server's private key and the CA certificate as CA list.

4. Import the CA certificate into the TLS client (e.g. the SIP client)

You can test if the Kamailio configuration works by using a browser e.g:

- surf with Internet Explorer to
    https://domain.name.ofyour.sipproxy:5061/
   This should give you a certificate warning (do NOT accept the 
certificate)

- close Internet Explorer

- import CA certificate into Windows certificate store

- surf with Internet Explorer again to
    https://domain.name.ofyour.sipproxy:5061/
   This time there should not be any certificate warning.


You can also try other SIP clients, e.g. eyebeam (uses Windows 
certificate store), twinkle (Linux) or QjSimple (let you specify the CA 
file manually, do not configure client certificate and private key)

regards
klaus

Am 06.09.2010 20:15, schrieb peter_green lion:
>  > Date: Mon, 6 Sep 2010 14:34:35 +0200
>  > From: klaus.mailinglists at pernau.at
>  > To: betergreen at live.com
>  > CC: sr-users at lists.sip-router.org
>  > Subject: Re: [SR-Users] please help to register sip phone to kamailio
> server via tls support.
>  >
>  >
>  >
>  > Am 06.09.2010 11:19, schrieb peter_green lion:
>  > > i have the same problem when add user-privkey.pem in SIP client, I use
>  > > 3CX soft phone.
>  >
>  > You have to import the self-signed certificate of the root CA which
>  > signed the server certificate. Maybe "cakey.pem" ?
>  >
>  > Probably you have to read some certificate and openssl howtos to get
>  > proper backround - SIP over TLS is just like HTTPS.
>  >
>  > regards
>  > Klaus
>
> dear Klaus,
> I try to test with all file.pem in ca directory. but i get the same error.
> i try to verify cert file and get :
>
> openssl verify calist.pem
> calist.pem: /C=vn/ST=hcm/L=htk/O=inc/OU=4/CN=kamailio
> error 18 at 0 depth lookup:self signed certificate
> OK
>
> openssl verify privkey.pem
> unable to load certificate
> 2904:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
>
>
> openssl verify ser1_cert.pem
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> so is this my problem ?
> thanks for help .
> Peter Green
>
>

More information about the sr-users mailing list