62 lines
2.4 KiB
HTML
62 lines
2.4 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
<html>
|
|
<head>
|
|
<title>Generating SSL/TLS certificates for SIP agents and proxies</title>
|
|
</head>
|
|
<body>
|
|
<h1>Generating SSL/TLS certificates for SIP agents and proxies</h1>
|
|
<h2>Prerequisites</h2>
|
|
The openssl v0.96 or higher must be installed to create the certificates.
|
|
|
|
<h2>To generate the random seed file</h2>
|
|
<strong><pre>$ tport_rand tls_seed.dat
|
|
</pre>
|
|
</strong>
|
|
|
|
<h2>To generate the root authority certificate</h2>
|
|
<strong><pre>
|
|
$ make_root_cert.pl \
|
|
-cn <root common name>\
|
|
-dns <comma separated list of root dns names>\
|
|
[-prefix <prefix for the generated files> (default root)]\
|
|
[-rand <random seed file> (default tls_seed.dat)]</pre></strong>
|
|
|
|
This command will generate files <strong><prefix>key.pem</strong> (root private key),
|
|
<strong><prefix>cert.pem</strong> (root certificate) and <strong><prefix>.pem</strong> (combination
|
|
of the key and the certificate). The latter file will be used to sign the node certificates.
|
|
|
|
<h2>To generate a certificate for a single node (user agent or proxy)</h2>
|
|
<strong><pre>
|
|
$ make_node_cert.pl \
|
|
-cn <node common name>\
|
|
-dns <comma separated list of node dns names>\
|
|
[-ca <cafile> (default root.pem)]\
|
|
[-prefix <prefix for the generated files> (default agent)]\
|
|
[-rand <random seed file> (default tls_seed.dat)]
|
|
</pre></strong>
|
|
This command will generate files <strong><prefix>key.pem </strong> (node private key),
|
|
<strong><prefix>cert.pem</strong> (node certificate) and <strong><prefix>.pem</strong> (combination
|
|
of the key and the certificate). The certificate has been signed with ca certificate
|
|
contained in <strong><cafile></strong>.
|
|
|
|
<h2>Installing the certificates to the nodes</h2>
|
|
|
|
<ol>
|
|
|
|
<li>Copy the root certificate file (<strong>rootcert.pem</strong> by default - <strong>not root.pem or rootkey.pem!</strong>),
|
|
the combined node certificate+key file (<strong>agent.pem</strong>) and <strong>tls_seed.dat</strong> to the tls configuration
|
|
directory (default <strong>$HOME/.sip/auth</strong>)</li>
|
|
|
|
<li>Rename <strong>rootcert.pem</strong> as <strong>cafile.pem</strong></li>
|
|
</ol>
|
|
<p>
|
|
<strong>Note that files agent.pem and tls_seed.dat must be kept secret to
|
|
ensure secure connection</strong>
|
|
</p>
|
|
|
|
</ol>
|
|
</body>
|
|
</html>
|
|
|