Mircea Carasel wrote:
> Hi,
> Regarding XCF-2428, I would like to open a new discussion thread in
> order bring once more into attention a solution proposal that will
> accomplish the
> following requirement: make possible the coexistence of a web ssl
> certificate and a xml-rpc ssl certificate in sipXconfig
>
> Based on our researches here is the result:
> [...]
>
> We made some tests with some new web certificates and we observed that
> the existence of ssl.crt ssl.key and ssl.p12 files is mandatory in
> {prefix}/etc/sipxpbx/ssl directory. As you pointed out, the
> create-ssl-keystore.sh is creating a keystore (if not already existing)
> and we've looked into it and saw that it adds the certificate
> represented by ssl.crt file to this keystore
> ({prefix}/etc/sipxpbx/ssl/.ssl.keystore).
>
> We could use a specific name for the web certificate ( ssl-web.crt ,
> ssl-web.key, ssl-web.p12 ) and copy it from the
> {prefix}/var/sipxdata/configserver/web-cert directory to the
> {prefix}/etc/sipxpbx/ssl directory. In this way, we will have two
> certificates, one for the xml-rpc named ssl.* as it is now and another
> one for the web named ssl-web.* .
> For this, we will have to modify the create-ssl-keystore.sh file and
> have it importing the web certificate into the keystore only if the
> ssl-web.crt file exist. Otherwise it will import the ssl.crt file into
> the keystore.
>
> Finally for the changes to take effect, we will need to restart the JVM
> and pass to it the changes.
>
> However, we don't know if these changes will affect the xml-rpc side.
> Please share us your thoughts.
>
> [...]
> Please let us know if this approach is suitable.
>
> Regards,
> Mircea
That should work. If I remember correctly keystore is used for identifying
WEB server only. XML/RPC does not use peer authentication at the moment so
it will only use CA cert that is kept in truststore (IOW: XML/RPC server is
authenticated, client is not).
So changes in how the keystore is generate should not affect anything else.
That said it would be nice to figure out how to make it work if keystore
contains more than one cert...
D.
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
