настройка TLS для Asterisk 1.8
Как я делал сертификат для IP АТС Asterisk
Код:
root@server-sip1:/etc/cert# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.......................++
...............................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:Remi Philippe - www.remiphilippe.fr CA
Email Address []:noone@remiphilippe.fr
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# ls
ca.crt ca.key
root@server-sip1:/etc/cert#
получили файл ca.crt его и устанавливаем на клиента
Код:
root@server-sip1:/etc/cert# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
...++++++
e is 65537 (0x10001)
root@server-sip1:/etc/cert# openssl req -new -key key.pem -out req-sip_remiphilippe_fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:sip.remiphilippe.fr
Email Address []:noone@remiphilippe.fr
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# openssl x509 -req -days 365 -in req-sip_remiphilippe_fr.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_remiphilippe_fr.crt
Signature ok
subject=/C=FR/ST=IDF/L=Paris/O=Remi Philippe - www.remiphilippe.fr/OU=VoIP/CN=sip.remip ... hilippe.fr
Getting CA Private Key
Enter pass phrase for ca.key:
root@server-sip1:/etc/cert#
получили серверный сертификат
Код:
root@server-sip1:/etc/asterisk/cert# cat ../../cert/key.pem > asterisk.pem
root@server-sip1:/etc/asterisk/cert# cat ../../cert/cert-sip_remiphilippe_fr.crt >> asterisk.pem
получили сертификат для астериска
далее в конфиг пишем
Код:
[global]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/cert/asterisk.pem
и пиру
Код:
[100]
transport=tls
Код:
root@server-sip1:/etc/cert# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.......................++
...............................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:Remi Philippe - www.remiphilippe.fr CA
Email Address []:noone@remiphilippe.fr
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# ls
ca.crt ca.key
root@server-sip1:/etc/cert#
получили файл ca.crt его и устанавливаем на клиента
Код:
root@server-sip1:/etc/cert# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
...++++++
e is 65537 (0x10001)
root@server-sip1:/etc/cert# openssl req -new -key key.pem -out req-sip_remiphilippe_fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:sip.remiphilippe.fr
Email Address []:noone@remiphilippe.fr
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert#
root@server-sip1:/etc/cert# openssl x509 -req -days 365 -in req-sip_remiphilippe_fr.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_remiphilippe_fr.crt
Signature ok
subject=/C=FR/ST=IDF/L=Paris/O=Remi Philippe - www.remiphilippe.fr/OU=VoIP/CN=sip.remip ... hilippe.fr
Getting CA Private Key
Enter pass phrase for ca.key:
root@server-sip1:/etc/cert#
получили серверный сертификат
Код:
root@server-sip1:/etc/asterisk/cert# cat ../../cert/key.pem > asterisk.pem
root@server-sip1:/etc/asterisk/cert# cat ../../cert/cert-sip_remiphilippe_fr.crt >> asterisk.pem
получили сертификат для астериска
далее в конфиг пишем
Код:
[global]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/cert/asterisk.pem
и пиру
Код:
[100]
transport=tls