...
Best practice, however, is to use a publicly-signed certificate. D-Series phones include a current (as of the time of the firmware build date) copy of the publicly-signed root CA list. Thus, they will be able to properly validate any server using a publicly-signed certificate. If the server does not use a publicly-signed certificate, then a copy of the privately-signed root CA must be loaded onto the phone before it will be able to make a SIP TLS connection to the SIP server.
SIP RFC 5922 section 7.2 forbids the use of wildcard certificates for TLS signaling. For many deployments of servers, this can present a problem. Where these servers are often deployed with wildcard certificates for HTTPs traffic, implementors may assume they can do the same thing for SIP. Per the RFC, one cannot. In order to provide assistance for wildcard implementations, D-Series phone firmwares, beginning with 2_9_2 and 1_12_1 provide a setting, tls_allow_wildcard_certs, disabled by default, that will permit the telephone to accept a wildcard certificate as valid for SIP TLS signaling.
Asterisk TLS Transport
Once certificates have been generated and installed for Asterisk's use, a TLS signaling transport must be set up for use by PJSIP. The transport should look similar to:
...