On Fri, 2008-11-21 at 09:13 -0600, Scott Lawrence wrote: > On Fri, 2008-11-21 at 15:23 +0200, Tufan Karadere wrote: > > > > This, again I guess, may be something with our certificates, which are > > signed by our own CA. I put the CA cert into /etc/sipxpbx/ssl/cacert > > and it built the /etc/sipxpbx/ssl/.authorities.jks file, but I don't > > know. The hostname of the server (padme) is different from the > > hostname it gives the service with (sip), perhaps it's the cause, but > > I couldn't find a way to make everything use the "sip" hostname. In > > some logs, the default hostname still appears. > > This may well be at the root of your problems. I'm not clear on what > you mean by the hostname being different, but it doesn't sound good. > > The sipXecs SSL usages require that the certificates be built as > specified in > > http://www.ietf.org/internet-drafts/draft-ietf-sip-domain-certs-02.txt > > in short, the host name in the subjectAltName attribute of the cert > should match. > > If you'll post (or send me) the public part of your certificate, > including the public part of the ca certificate, I can check them to see > if they are compatible with our expectations (I'm travelling much of > today, so I won't see any reply until tomorrow morning).
Looking at the certs you sent - they are not compatible with sipXecs expectations. If there is some reason why you feel strongly that you need to use your own self-signed certificate hierarchy (rather than the one our tool creates), you may be able to use your CA cert and key with the gen-ssl-keys.sh script (in .../bin/ssl-certs) to create sipXecs-compatible certificates. See the instructions with --help. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
