On Mon, Nov 23, 2009 at 9:23 AM, Damian Krzeminski <[email protected]> wrote: > Carolyn Beeton wrote: >> >> >> As we start to work on TLS between systems (sipXbridge and sipXproxy), >> we need to share certificates between these systems. I assume it is >> somewhat similar to the HA setup, but not identical. Has anyone done >> it? I have a general idea that certs need to be generated on one box, >> and copied to and installed on the other, but I am not sure which ones. >> Is there a way to test on a developer system without a real CA? I think >> there is an issue for installing certs through sipXconfig, but I am >> looking for a more immediate command line equivalent. >> > > Installing certs through sipXconfig UI will not help here, since UI is used > to installed the WEB site cert only (used when your browser is trying to > identify sipXconfig WEB portal). > > Incidentally I do think that there is an issue (or at least a significant > change) with how CAs in etc/sipxpbx/ssl/authorities are treated in 3.x and > 4.x. In 3.x adding new CA was as simple as dropping a new certificate in > that directory and restarting sipXconfig (which automatically re-generated > truststore). Since starting from 4.x sipXconfig is not the only service > that is using the trustore, Ranga moved the generation to separate scripts. > Unfortunately it looks like automatic generation of trustore does not work > any more. Or maybe I just didn't find the correct incantation to trigger > it. I ended up adding the certs I needed to the trustore manually. > > See my comment for XX-6247 to see command line example: > http://tinyurl.com/ybcywd6 > D.
To avoid any confusion ( and as I mentioned in the after scrum meeting), this is by design. The cert generation is moved to sipxecs-setup (just once) and not during startup ( recall javacertsetup.sh was deemed incorrect ). Should this behavior be changed (again?) Thanks Ranga > > _______________________________________________ > sipx-dev mailing list [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev > sipXecs IP PBX -- http://www.sipfoundry.org/ > -- M. Ranganathan _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
