<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Generating SSL/TLS certificates for SIP agents and proxies</title> </head> <body> <h1>Generating SSL/TLS certificates for SIP agents and proxies</h1> <h2>Prerequisites</h2> The openssl v0.96 or higher must be installed to create the certificates. <h2>To generate the random seed file</h2> <strong><pre>$ tport_rand tls_seed.dat </pre> </strong> <h2>To generate the root authority certificate</h2> <strong><pre> $ make_root_cert.pl \ -cn <root common name>\ -dns <comma separated list of root dns names>\ [-prefix <prefix for the generated files> (default root)]\ [-rand <random seed file> (default tls_seed.dat)]</pre></strong> This command will generate files <strong><prefix>key.pem</strong> (root private key), <strong><prefix>cert.pem</strong> (root certificate) and <strong><prefix>.pem</strong> (combination of the key and the certificate). The latter file will be used to sign the node certificates. <h2>To generate a certificate for a single node (user agent or proxy)</h2> <strong><pre> $ make_node_cert.pl \ -cn <node common name>\ -dns <comma separated list of node dns names>\ [-ca <cafile> (default root.pem)]\ [-prefix <prefix for the generated files> (default agent)]\ [-rand <random seed file> (default tls_seed.dat)] </pre></strong> This command will generate files <strong><prefix>key.pem </strong> (node private key), <strong><prefix>cert.pem</strong> (node certificate) and <strong><prefix>.pem</strong> (combination of the key and the certificate). The certificate has been signed with ca certificate contained in <strong><cafile></strong>. <h2>Installing the certificates to the nodes</h2> <ol> <li>Copy the root certificate file (<strong>rootcert.pem</strong> by default - <strong>not root.pem or rootkey.pem!</strong>), the combined node certificate+key file (<strong>agent.pem</strong>) and <strong>tls_seed.dat</strong> to the tls configuration directory (default <strong>$HOME/.sip/auth</strong>)</li> <li>Rename <strong>rootcert.pem</strong> as <strong>cafile.pem</strong></li> </ol> <p> <strong>Note that files agent.pem and tls_seed.dat must be kept secret to ensure secure connection</strong> </p> </ol> </body> </html>