<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<br><br>> Date: Tue, 7 Sep 2010 09:47:18 +0200<br>> From: klaus.mailinglists@pernau.at<br>> To: betergreen@live.com<br>> CC: sr-users@lists.sip-router.org<br>> Subject: Re: [SR-Users] please help to register sip phone to kamailio server via tls support.<br>> <br>> I couldn't follow what you exactly did, but you should<br>> <br>> 1. create a self-signed CA certificate<br>> <br>> 2. create private and public key for server. Make certificate signing <br>> request (CSR) from the public key. Sign this CSR with the CA certificate <br>> - this will give you the server certificate.<br>> <br>> 3. configure in Kamailio the server's public key (certificate), the <br>> server's private key and the CA certificate as CA list.<br>> <br>> 4. Import the CA certificate into the TLS client (e.g. the SIP client)<br>> <br>> You can test if the Kamailio configuration works by using a browser e.g:<br>> <br>> - surf with Internet Explorer to<br>> https://domain.name.ofyour.sipproxy:5061/<br>> This should give you a certificate warning (do NOT accept the <br>> certificate)<br>> <br>> - close Internet Explorer<br>> <br>> - import CA certificate into Windows certificate store<br>> <br>> - surf with Internet Explorer again to<br>> https://domain.name.ofyour.sipproxy:5061/<br>> This time there should not be any certificate warning.<br>> <br>> <br>> You can also try other SIP clients, e.g. eyebeam (uses Windows <br>> certificate store), twinkle (Linux) or QjSimple (let you specify the CA <br>> file manually, do not configure client certificate and private key)<br>> <br>> regards<br>> klaus<br><br>Hi Klaus,<br>i have configure as your advise :<br>>1. create a self-signed CA certificate<br><pre class="programlisting">Creating CA certificate<br>-----------------------<br>1. create CA dir<br> mkdir ca<br> cd ca<br> <br>2. create ca dir structure and files (see ca(1))<br> mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf<br> mkdir demoCA/private<br> mkdir demoCA/newcerts<br> touch demoCA/index.txt<br> echo 01 >demoCA/serial<br> <br>2. create CA private key<br> openssl genrsa -out demoCA/private/cakey.pem 2048<br> chmod 600 demoCA/private/cakey.pem<br> <br>3. create CA self-signed certificate<br> openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem<br></pre>> 2. create private and public key for server. Make certificate signing <br>> request (CSR) from the public key. Sign this CSR with the CA certificate <br>> - this will give you the server certificate.<br><br><pre class="programlisting">Creating a server/client certificate<br>------------------------------------<br>1. create a certificate request (and its private key in privkey.pem)<br> openssl req -out ser1_cert_req.pem -new -nodes<br> WARNING: the organization name should be the same as in the ca certificate.<br> <br>2. sign it with the ca certificate<br><br><br> openssl ca -in ser1_cert_req.pem -out ser1_cert.pem<br><br>so "ser1_cert.pem" is server certificate.<br><br>> 3. configure in Kamailio the server's public key (certificate), the <br>> server's private key and the CA certificate as CA list.<br><br>my configure is :<br><br>modparam("tls", "tls_method", "TLSv1")<br>modparam("tls", "certificate", "/usr/local/etc/kamailio/ser1_cert.pem") #server cert<br>modparam("tls", "private_key", "/usr/local/etc/kamailio/privkey.pem") #privkey<br>modparam("tls", "ca_list", "/usr/local/etc/kamailio/calist.pem") #ca cert<br>modparam("tls", "verify_certificate", 1)<br>modparam("tls", "require_certificate", 1)<br><br><br>> 4. Import the CA certificate into the TLS client (e.g. the SIP client)<br><br>i copy calist.pem to my pc, and add to ie certificate, test:<br><br>the result is :<br><br>--> start kamailio is ok.<br>--> open ie :as you describe, add calist.pem to Windows certificate store ,but it fail.<br><br>message is : Windows cannot validate that the certificate is actually from 192.168.1.81.you should confirm its orgin by contacting 192.168.1.81.................<br><br><br>please help me to fix it .<br>thank you so much.<br>Peter Green.<br></pre> <br> </body>
</html>