Table of Contents

Create Certificates to be used with Kamailio

Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL/TLS. If you do not have certificates you can use the “openssl” tool to generate the certificates:

Creating Certificates with OpenSSL

Following example was done on a Debian Lenny installation. On other Linux distributions you may have to adopt the openssl.cnf file (e.g. /etc/ssl/openssl.cnf).

...
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_anything
...
mkdir /etc/certs
chmod 0700 /etc/certs
cd /etc/certs
mkdir demoCA
cd demoCA
mkdir newcerts
echo '01' > serial
touch index.txt
openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650
# Optional, verify the content of the new CA certificate:
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.pem -noout -dates
openssl x509 -in cert.pem -noout -purpose
cd ..
mkdir sip.mydomain.com
cd sip.mydomain.com/
openssl req -new -nodes -keyout key.pem -out req.pem
cd ..
openssl ca -days 730 -out sip.mydomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles sip.mydomain.com/req.pem
mkdir anotherdomain.com
cd anotherdomain.com/
openssl req -new -nodes -keyout key.pem -out req.pem
cd ..
openssl ca -days 730 -out anotherdomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles anotherdomain.com/req.pem
openssl x509 -in anotherdomain.com/cert.pem -noout -text
openssl x509 -in sip.mydomain.com/cert.pem -noout -text

Using the Certificates with TLS

Using TLS and the Certificates with SIP Phones

Testing

# openssl s_client -connect localhost:5061 -tls1
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
# openssl s_client -connect localhost:5061 -tls1 -CAfile /etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Vienna/L=Vienna/O=Cheap-Call Limited/CN=sip.mydomain.com
verify return:1

Example

debian:/etc# mkdir /etc/certs
debian:/etc# chmod 0700 /etc/certs
debian:/etc# cd /etc/certs
debian:/etc/certs# mkdir demoCA
debian:/etc/certs# cd demoCA
debian:/etc/certs/demoCA# mkdir newcerts
debian:/etc/certs/demoCA# echo '01' > serial
debian:/etc/certs/demoCA# touch index.txt
debian:/etc/certs/demoCA# openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650
Generating a 1024 bit RSA private key
...................................................++++++
.........................++++++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:Vienna
Locality Name (eg, city) []:Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:My private CA
Email Address []:
debian:/etc/certs/demoCA# cd ..


debian:/etc/certs# mkdir anotherdomain.com
debian:/etc/certs# cd anotherdomain.com/
debian:/etc/certs/anotherdomain.com# openssl req -new -nodes -keyout key.pem -out req.pem
Generating a 1024 bit RSA private key
.....................................++++++
..................++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Berlin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:berlin-calling.com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:berlin-calling.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
debian:/etc/certs/anotherdomain.com# cd ..
debian:/etc/certs# openssl ca -days 730 -out anotherdomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles anotherdomain.com/req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for demoCA/key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Sep  9 13:42:27 2010 GMT
            Not After : Sep  8 13:42:27 2012 GMT
        Subject:
            countryName               = AT
            localityName              = Berlin
            organizationName          = berlin-calling.com
            commonName                = berlin-calling.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                65:3A:F3:C0:A8:B7:1D:3C:07:82:87:AB:EA:6D:01:D9:19:20:E6:C2
            X509v3 Authority Key Identifier:
                keyid:DD:8B:12:E5:65:71:55:E9:9C:A5:6D:11:56:02:A6:6D:6E:C1:07:D9

Certificate is to be certified until Sep  8 13:42:27 2012 GMT (730 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
debian:/etc/certs#