> Date: Tue, 7 Sep 2010 09:47:18 +0200 > From: klaus.mailingli...@pernau.at > To: betergr...@live.com > CC: sr-users@lists.sip-router.org > Subject: Re: [SR-Users] please help to register sip phone to kamailio server > via tls support. > > I couldn't follow what you exactly did, but you should > > 1. create a self-signed CA certificate > > 2. create private and public key for server. Make certificate signing > request (CSR) from the public key. Sign this CSR with the CA certificate > - this will give you the server certificate. > > 3. configure in Kamailio the server's public key (certificate), the > server's private key and the CA certificate as CA list. > > 4. Import the CA certificate into the TLS client (e.g. the SIP client) > > You can test if the Kamailio configuration works by using a browser e.g: > > - surf with Internet Explorer to > https://domain.name.ofyour.sipproxy:5061/ > This should give you a certificate warning (do NOT accept the > certificate) > > - close Internet Explorer > > - import CA certificate into Windows certificate store > > - surf with Internet Explorer again to > https://domain.name.ofyour.sipproxy:5061/ > This time there should not be any certificate warning. > > > You can also try other SIP clients, e.g. eyebeam (uses Windows > certificate store), twinkle (Linux) or QjSimple (let you specify the CA > file manually, do not configure client certificate and private key) > > regards > klaus Hi Klaus, i have configure as your advise : >1. create a self-signed CA certificate Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem > 2. create private and public key for server. Make certificate signing > request (CSR) from the public key. Sign this CSR with the CA certificate > - this will give you the server certificate. Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate openssl ca -in ser1_cert_req.pem -out ser1_cert.pem so "ser1_cert.pem" is server certificate. > 3. configure in Kamailio the server's public key (certificate), the > server's private key and the CA certificate as CA list. my configure is : modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio/ser1_cert.pem") #server cert modparam("tls", "private_key", "/usr/local/etc/kamailio/privkey.pem") #privkey modparam("tls", "ca_list", "/usr/local/etc/kamailio/calist.pem") #ca cert modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1) > 4. Import the CA certificate into the TLS client (e.g. the SIP client) i copy calist.pem to my pc, and add to ie certificate, test: the result is : --> start kamailio is ok. --> open ie :as you describe, add calist.pem to Windows certificate store ,but it fail. message is : Windows cannot validate that the certificate is actually from 192.168.1.81.you should confirm its orgin by contacting 192.168.1.81................. please help me to fix it . thank you so much. Peter Green.
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
