So you'd like to make some secure calls.
I wanted to, too, and it was too complicated and the documentation needs work.
Here's how to do it, using Blink.
First, let's make a place for our keys.
mkdir /etc/asterisk/keys
First, use the ast_tls_cert script in the contribs/scripts Asterisk source directory to make a self-signed certificate authority and an Asterisk certificate.
./ast_tls_cert -C 10.24.14.201 -O "10.24.14.201" -d /etc/asterisk/keys
Here, I'm making the Common name (-C) the same as the IP address of the server - that's because clients will register to the IP address. If clients were registering to a DNS name, like pbx.mycompany.com, we'd use that instead.
The -O flag is an organizational name. It could be your company, or whatever. It's necessary, but irrelevant.
The -d specifies where the output files go.
Next, generate a client certificate.
./ast_tls_cert -m client -c /etc/asterisk/ca.crt -k /etc/asterisk/ca.key -C "10.24.14.135" -O"10.24.14.201" -d /etc/asterisk/keys -o blink
Here, we're telling the script that we want a client certificate (-m client), that we want to use a particular authority (-c /tmp/ca.crt), with the key for that authority (-k /tmp/ca.key), and that the client will be coming from somewhere (-C "10.24.14.135 in this case because that's what the client registers to Asterisk as), that we want the output files to go somewhere (-d /etc/asterisk/keys) and that we want the output files to all be something (blink) . whatever their extension is.
Now, we've got a list of items we've built, they should be:
asterisk.crt
asterisk.csr
asterisk.key
asterisk.pem
blink.crt
blink.csr
blink.key
blink.pem
ca.cfg
ca.crt
ca.key
tmp.cfg
Next, let's configure Asterisk to use TLS.
Set:
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
..
Blink needs ca.crt in the main tls config
blink neds blink.pem in the account config
to be continued...