– Kamailio SIP Server –

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tls:create-certificates [2010/09/30 18:49]
87.93.52.7
tls:create-certificates [2010/09/30 18:53] (current)
87.93.52.7
Line 1: Line 1:
 +====== Create Certificates to be used with Kamailio ======
  
 +Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL/TLS. If you do not have certificates you can use the "​openssl"​ tool to generate the certificates:​
 +
 +===== Creating Certificates with OpenSSL =====
 +
 +Following example was done on a Debian Lenny installation. On other Linux distributions you may have to adopt the openssl.cnf file (e.g. /​etc/​ssl/​openssl.cnf).
 +
 +  * Change the default policy to be more flexible, edit /​etc/​ssl/​openssl.cnf (replace policy_match with policy_anything):​
 +
 +  ...
 +  # A few difference way of specifying how similar the request should look
 +  # For type CA, the listed attributes must be the same, and the optional
 +  # and supplied fields are just that :-)
 +  policy ​         = policy_anything
 +  ...
 +
 +  * Make a directory to store your certificates (of course you should secure this directory to prevent unprivileged access):
 +
 +  mkdir /etc/certs
 +  chmod 0700 /etc/certs
 +  cd /etc/certs
 +
 +  * Create a self-signed CA (cartificate authority) certificate (valid for 10 years):
 +
 +  mkdir demoCA
 +  cd demoCA
 +  mkdir newcerts
 +  echo '​01'​ > serial
 +  touch index.txt
 +  openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650
 +  # Optional, verify the content of the new CA certificate:​
 +  openssl x509 -in cert.pem -noout -text
 +  openssl x509 -in cert.pem -noout -dates
 +  openssl x509 -in cert.pem -noout -purpose
 +  cd ..
 +
 +  * Make a certificate for your SIP proxy sip.mydomain.com (create keys and a certificate signing request (CSR), then sign the CSR with the CA's certificate)
 +
 +  mkdir sip.mydomain.com
 +  cd sip.mydomain.com/​
 +  openssl req -new -nodes -keyout key.pem -out req.pem
 +  cd ..
 +  openssl ca -days 730 -out sip.mydomain.com/​cert.pem -keyfile demoCA/​key.pem -cert demoCA/​cert.pem -infiles sip.mydomain.com/​req.pem
 +
 +  * Make a certificate for another SIP proxy anotherdomain.com (create keys and a certificate signing request (CSR), then sign the CSR with the CA's certificate)
 +
 +  mkdir anotherdomain.com
 +  cd anotherdomain.com/​
 +  openssl req -new -nodes -keyout key.pem -out req.pem
 +  cd ..
 +  openssl ca -days 730 -out anotherdomain.com/​cert.pem -keyfile demoCA/​key.pem -cert demoCA/​cert.pem -infiles anotherdomain.com/​req.pem
 +
 +  * Optional, verify the content of the new certificates:​
 +
 +  openssl x509 -in anotherdomain.com/​cert.pem -noout -text
 +  openssl x509 -in sip.mydomain.com/​cert.pem -noout -text
 +==== Using the Certificates with TLS ====
 +
 +  * Now you can use these certificates with Kamailio, e.g: (following snippet is for Kamailio 3.0 and 3.1)<​code>​
 +  enable_tls=1
 +  tcp_async=no ​ # do not include in 3.1
 +  tcp_connection_lifetime=3610  ​
 +  listen=udp:<​ip-address-for-receiving-sip-requests>:​5060
 +  listen=tcp:<​ip-address-for-receiving-sip-requests>:​5060  ​
 +  ​
 +  modparam("​tls",​ "​private_key",​ "/​etc/​certs/​sip.mydomain.com/​key.pem"​)
 +  modparam("​tls",​ "​certificate",​ "/​etc/​certs/​sip.mydomain.com/​cert.pem"​)
 +  modparam("​tls",​ "​ca_list",​ "/​etc/​certs/​demoCA/​cert.pem"​)
 +</​code>​
 +  * If you want to have different certificates in function of the role (server or client), or who are you talking with, you need to use a separate tls config file, see http://​sip-router.org/​docbook/​sip-router/​branch/​master/​modules/​tls/​tls.html#​config.
 +
 +==== Using TLS and the Certificates with SIP Phones ====
 +
 +  * Further, you SIP client needs to be provisioned with to trust your self-signed CA. Depending on your SIP client there are various options how to configure, e.g.:
 +    * eyebeam: copy the CA certificate (/​etc/​certs/​demoCA/​cert.pem) to the Windows PC and add it to the Windows certificate store (Start->​Control Panel->​Internet)
 +    * QjSimple: copy the CA certificate (/​etc/​certs/​demoCA/​cert.pem) to the client PC and configure QjSimple to use this CA ("TLS CA file" and "​verify TLS server certificate)
 +    * Snom Phones: by default Snom accepts untrusted certificates,​ you just need to set **Outbound Proxy** field to "​yoursipserver.com;​transport=tls"​.
 +
 +==== Testing ====
 +
 +  * You can test with the openssl tools, e.g. connecting to the server without certificate validation:
 +
 +  # openssl s_client -connect localhost:​5061 -tls1
 +  CONNECTED(00000003)
 +  depth=1 /​C=AT/​ST=Vienna/​L=Vienna/​O=My private CA/CN=My private CA
 +  verify error:​num=19:​self signed certificate in certificate chain
 +  verify return:0
 +
 +  * Connecting to the server without certificate validation:
 +
 +  # openssl s_client -connect localhost:​5061 -tls1 -CAfile /​etc/​certs/​demoCA/​cert.pem
 +  CONNECTED(00000003)
 +  depth=1 /​C=AT/​ST=Vienna/​L=Vienna/​O=My private CA/CN=My private CA
 +  verify return:1
 +  depth=0 /​C=AT/​ST=Vienna/​L=Vienna/​O=Cheap-Call Limited/​CN=sip.mydomain.com
 +  verify return:1
 +
 +==== Example ====
 +
 +<​code>​
 +debian:/​etc#​ mkdir /etc/certs
 +debian:/​etc#​ chmod 0700 /etc/certs
 +debian:/​etc#​ cd /etc/certs
 +debian:/​etc/​certs#​ mkdir demoCA
 +debian:/​etc/​certs#​ cd demoCA
 +debian:/​etc/​certs/​demoCA#​ mkdir newcerts
 +debian:/​etc/​certs/​demoCA#​ echo '​01'​ > serial
 +debian:/​etc/​certs/​demoCA#​ touch index.txt
 +debian:/​etc/​certs/​demoCA#​ openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650
 +Generating a 1024 bit RSA private key
 +...................................................++++++
 +.........................++++++
 +writing new private key to '​key.pem'​
 +Enter PEM pass phrase:
 +Verifying - Enter PEM pass phrase:
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '​.',​ the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:AT
 +State or Province Name (full name) [Some-State]:​Vienna
 +Locality Name (eg, city) []:Vienna
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, YOUR name) []:My private CA
 +Email Address []:
 +debian:/​etc/​certs/​demoCA#​ cd ..
 +
 +
 +debian:/​etc/​certs#​ mkdir anotherdomain.com
 +debian:/​etc/​certs#​ cd anotherdomain.com/​
 +debian:/​etc/​certs/​anotherdomain.com#​ openssl req -new -nodes -keyout key.pem -out req.pem
 +Generating a 1024 bit RSA private key
 +.....................................++++++
 +..................++++++
 +writing new private key to '​key.pem'​
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '​.',​ the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:AT
 +State or Province Name (full name) [Some-State]:​.
 +Locality Name (eg, city) []:Berlin
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:​berlin-calling.com
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, YOUR name) []:​berlin-calling.com
 +Email Address []:
 +
 +Please enter the following '​extra'​ attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +debian:/​etc/​certs/​anotherdomain.com#​ cd ..
 +debian:/​etc/​certs#​ openssl ca -days 730 -out anotherdomain.com/​cert.pem -keyfile demoCA/​key.pem -cert demoCA/​cert.pem -infiles anotherdomain.com/​req.pem
 +Using configuration from /​usr/​lib/​ssl/​openssl.cnf
 +Enter pass phrase for demoCA/​key.pem:​
 +Check that the request matches the signature
 +Signature ok
 +Certificate Details:
 +        Serial Number: 2 (0x2)
 +        Validity
 +            Not Before: Sep  9 13:42:27 2010 GMT
 +            Not After : Sep  8 13:42:27 2012 GMT
 +        Subject:
 +            countryName ​              = AT
 +            localityName ​             = Berlin
 +            organizationName ​         = berlin-calling.com
 +            commonName ​               = berlin-calling.com
 +        X509v3 extensions:
 +            X509v3 Basic Constraints:​
 +                CA:FALSE
 +            Netscape Comment:
 +                OpenSSL Generated Certificate
 +            X509v3 Subject Key Identifier:
 +                65:​3A:​F3:​C0:​A8:​B7:​1D:​3C:​07:​82:​87:​AB:​EA:​6D:​01:​D9:​19:​20:​E6:​C2
 +            X509v3 Authority Key Identifier:
 +                keyid:​DD:​8B:​12:​E5:​65:​71:​55:​E9:​9C:​A5:​6D:​11:​56:​02:​A6:​6D:​6E:​C1:​07:​D9
 +
 +Certificate is to be certified until Sep  8 13:42:27 2012 GMT (730 days)
 +Sign the certificate?​ [y/n]:y
 +
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +debian:/​etc/​certs#​
 +</​code>​