Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

So you'd like to make some secure calls.

I wanted to, too, and it was too complicated and the documentation needs work.

Here's how to do it, using Blink.

First, let's make a place for our keys.

mkdir /etc/asterisk/keys

First, use the ast_tls_cert script in the contribs/scripts Asterisk source directory to make a self-signed certificate authority and an Asterisk certificate.

./ast_tls_cert -C 10.24.14.201 -O "10.24.14.201" -d /etc/asterisk/keys

Here, I'm making the Common name (-C) the same as the IP address of the server - that's because clients will register to the IP address. If clients were registering to a DNS name, like pbx.mycompany.com, we'd use that instead.

The -O flag is an organizational name. It could be your company, or whatever. It's necessary, but irrelevant.

The -d specifies where the output files go.

Next, generate a client certificate.

./ast_tls_cert -m client -c /etc/asterisk/ca.crt -k /etc/asterisk/ca.key -C "10.24.14.135" -O"10.24.14.201" -d /etc/asterisk/keys -o blink

Here, we're telling the script that we want a client certificate (-m client), that we want to use a particular authority (-c /tmp/ca.crt), with the key for that authority (-k /tmp/ca.key), and that the client will be coming from somewhere (-C "10.24.14.135 in this case because that's what the client registers to Asterisk as), that we want the output files to go somewhere (-d /etc/asterisk/keys) and that we want the output files to all be something (blink) . whatever their extension is.

Now, we've got a list of items we've built, they should be:

asterisk.crt
asterisk.csr
asterisk.key
asterisk.pem
blink.crt
blink.csr
blink.key
blink.pem
ca.cfg
ca.crt
ca.key
tmp.cfg

Next, let's configure Asterisk to use TLS.

Set:
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

..

Blink needs ca.crt in the main tls config
blink neds blink.pem in the account config

to be continued...

  • No labels