Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

So you'd like to make some secure calls.

I wanted to, too, and it was too complicated and the documentation needs work.

Here's how to do it, using Blink.

First, let's make a place for our keys.

mkdir /etc/asterisk/keys

First, use the ast_tls_cert script in the contribs/scripts Asterisk source directory to make a self-signed certificate authority and an Asterisk certificate.

./ast_tls_cert -C 10.24.14.201 -O "10.24.14.201" -d /etc/asterisk/keys

Here, I'm making the Common name (-C) the same as the IP address of the server - that's because clients will register to the IP address. If clients were registering to a DNS name, like pbx.mycompany.com, we'd use that instead.

The -O flag is an organizational name. It could be your company, or whatever. It's necessary, but irrelevant.

The -d specifies where the output files go.

Next, generate a client certificate.

./ast_tls_cert -m client -c /etc/asterisk/ca.crt -k /etc/asterisk/ca.key -C "10.24.14.135" -O"10.24.14.201" -d /etc/asterisk/keys -o blink

Here, we're telling the script that we want a client certificate (-m client), that we want to use a particular authority (-c /tmp/ca.crt), with the key for that authority (-k /tmp/ca.key), and that the client will be coming from somewhere (-C "10.24.14.135 in this case because that's what the client registers to Asterisk as), that we want the output files to go somewhere (-d /etc/asterisk/keys) and that we want the output files to all be something (blink) . whatever their extension is.

Now, we've got a list of items we've built, they should be:

asterisk.crt
asterisk.csr
asterisk.key
asterisk.pem
blink.crt
blink.csr
blink.key
blink.pem
ca.cfg
ca.crt
ca.key
tmp.cfg

Next, let's configure Asterisk to use TLS.

Set:
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client

..

Blink needs ca.crt in the main tls config
blink neds blink.pem in the account config

to be continued...

  • No labels