[SR-Users] Kamailio TLS with intermediate CA certificates
Olle E. Johansson
oej at edvina.net
Sun Jan 29 13:33:38 CET 2012
29 jan 2012 kl. 13:11 skrev Daniel Pocock:
>
>
> I found that my TLS client was not happy because my server cert is
> signed by an intermediate root.
>
> A quick search in Google found other people mentioning the same problem,
> but no solution or documentation.
>
> I've had a quick look in the Kamailio source and I notice it is using
> the call:
>
> SSL_CTX_use_certificate_chain_file
>
> to load the certificate specified in tls.cfg with
>
> certificate=myserver.pem
>
> In practice, this means the intermediate certificates can be appended to
> myserver.pem and Kamailio will present them to the TLS client:
>
> Example:
>
> Trust heirarchy:
>
> trusted root
> - inter 1
> - inter 2
> - server.example.com.pem
>
> Construct the PEM file in this exact order:
>
> cat server.example.com.pem > chain-server.example.com.pem
> cat inter2.pem >> chain-server.example.com.pem
> cat inter1.pem >> chain-server.example.com.pem
>
> and then, in tls.cfg:
>
> certificate=chain-server.example.com.pem
>
This applies to almost all OpenSSL based implementations. But it should be documented somewhere.
/O
More information about the sr-users
mailing list