On Thu, 2009-12-17 at 13:20 -0500, Mossman, Paul (CAR:9D30) wrote: > Scott wrote: > ... > > > Is [XX-6905] the same requirement as Scott's "B." in > > > http://track.sipfoundry.org/browse/XX-7249 ? > > > > Not quite, but they are related. > > > > The current interface for generating a web certificate does > > two things: > > > > 1. Generates a public/private key pair > > 2. Creates a CSR (an unsigned public key) containing the full > > hostname of the system. > > > > the user is then expected to take the CSR to a CA to be > > signed, which is what produces a certificate (a certificate > > is essentially just a public key with metadata and a signature). > > > > XX-6905 says that we should allow the creation of a CSR that > > uses some alias for the hostname: the systems real fqdn might > > be 'ds12r5s7.example.com' (because that's the corporate > > standard form my hostnames must have - identifying the > > datacenter, rack, and shelf), but I want my users to log in > > using 'voicemail.example.com', or 'sipxecs.example.com'. > > Regarding the UI for XX-6905, it sounds like "Server Name" on the > "Generate CSR" screen should actually be a drop-down containing the > system Domain Names, as well as all Domain Aliases? You then choose > which one you want to generate the CSR for.
It might not be any of them - consider the 'voicemail.example.com' example above: the SIP doesn't need that name for anything, so it won't be anywhere in the configuration. This is just an alias for the web ui, which I don't believe cares what name you use for it in requests. > > XX-7249... > > It should be > > possible to import the combination of a private key and a > > certificate, even though sipXconfig was not used to generate > > either (and that certificate may well not use the fqdn of the > > system - hence the relationship between the issues). > > And let me guess, the private key is sometimes delivered as a file, and > sometimes as text? > > It will be a challenge to construct a simple single screen which allows > the private key to be optional, but both to be uploaded as either file > or text. That's why we pay all the sipXconfig developers the big bucks :-) > > As for checking certificates - in both cases, the check-cert.sh script > > should be invoked to do any checking. > > Looking at the code, I think we are not running check-cert.sh on > Certificates, but only on Certificate Authorities. It's not going to work if we install a certificate signed by some CA for which we don't have the CA certificate installed - when the software tries to load that cert, it will fail validation. If it makes things easier, I can add a --issuer option to check-cert.sh that will extract and print the name of the certificate that we don't have when a validation fails (it's in the certificate you're checking). _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
