M. Ranganathan wrote: > On Mon, Nov 23, 2009 at 9:23 AM, Damian Krzeminski <[email protected]> > wrote: >> Carolyn Beeton wrote: >>> >>> As we start to work on TLS between systems (sipXbridge and sipXproxy), >>> we need to share certificates between these systems. I assume it is >>> somewhat similar to the HA setup, but not identical. Has anyone done >>> it? I have a general idea that certs need to be generated on one box, >>> and copied to and installed on the other, but I am not sure which ones. >>> Is there a way to test on a developer system without a real CA? I think >>> there is an issue for installing certs through sipXconfig, but I am >>> looking for a more immediate command line equivalent. >>> >> Installing certs through sipXconfig UI will not help here, since UI is used >> to installed the WEB site cert only (used when your browser is trying to >> identify sipXconfig WEB portal). >> >> Incidentally I do think that there is an issue (or at least a significant >> change) with how CAs in etc/sipxpbx/ssl/authorities are treated in 3.x and >> 4.x. In 3.x adding new CA was as simple as dropping a new certificate in >> that directory and restarting sipXconfig (which automatically re-generated >> truststore). Since starting from 4.x sipXconfig is not the only service >> that is using the trustore, Ranga moved the generation to separate scripts. >> Unfortunately it looks like automatic generation of trustore does not work >> any more. Or maybe I just didn't find the correct incantation to trigger >> it. I ended up adding the certs I needed to the trustore manually. >> >> See my comment for XX-6247 to see command line example: >> http://tinyurl.com/ybcywd6 >> D. > > > To avoid any confusion ( and as I mentioned in the after scrum > meeting), this is by design. The cert generation is moved to > sipxecs-setup (just once) and not during startup ( recall > javacertsetup.sh was deemed incorrect ). > > Should this behavior be changed (again?) >
I do not think it needs to be changed: I am just saying it did not work for me. I dropped the new CA cert in 'authorities' directory, restarted sipxpbx service and my trustore remained unchanged. It might have had something to do with my development setup. I didn't have time to investigate it so I just added a cert manually to the truststore. Damian _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
