For what it is worth, these steps work perfectly for me for installing a cert and CA cert on a 4.0.4 machine (thanks Grant!)
Build the SipXecs machine so it is complete and a standard build, all configured and rebooted a couple of times. SSH onto the box and run the following: mkdir $HOME/sslkeys cd $HOME/sslkeys /usr/bin/ssl-cert/gen-ssl-keys.sh Copy the resulting csr file and submit it to the CA of choice, in this case I submitted it to my MS CA. Copy the certificate that was issued by the CA back to the sslkeys folder and name it the same as the other files but with a .cer extension. Run the following over it: openssl x509 -in myhost.mydomain.cer -inform DER -out myhost.mydomain.crt -outform PEM Next create the java keystore: /usr/bin/ssl-cert/gen-ssl-keys.sh --convert-crt2jks myhost.mydomain (notice no extension, just the Hostname + FQDN) At that point you should have SSL_DEFAULTS myhost.mydomain.csr myhost.mydomain.key myhost.mydomain.crt myhost.mydomain.keystore myhost.mydomain.p12 In the /etc/sipxpbx/ssl directory remove ssl-web.crt, ssl-web.keystore, ssl-web.key and ssl-web.p12 and replace with the certificates above except for myhost.mydomain.csr and SSL_DEFAULTS and rename them the same as the ones removed respectively. At this point you can do a service sipxecs restart to check if it is all going to work. Once the services have restarted then you should be able to log onto the main web page and not get a certificate error, but you should not be able to change your PIN through the telephone interface. This is because it can’t find the CA for the certificate you just installed. So to correct that error copy your CA file (say from Internet Explorer) to file in the DER format. Into the same directory as earlier is fine. Run the following: openssl x509 -in myhost.mydomainCA.cer -inform DER -out myhost.mydomainCA.crt -outform PEM Then copy that file into the /etc/sipxpbx/ssl/authorities directory and run the following: /usr/bin/ssl-cert/ca_rehash and restart your sipXecs processes or reboot. You can now log in with no SSL error and you should be able to change your PIN via the TUI. Note: If you use an external CA that is using an intermediate certificate you must process (convert to PEM and rehash) the intermediate CA file the same as you did the CA so for that certificate you will have two CA certificates in the authorities store. On 7/29/2010 10:13 AM, Joe Micciche wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/28/2010 04:16 PM, Martin Steinmann wrote: >> There were two earlier issues like this: >> http://track.sipfoundry.org/browse/XX-7349 >> http://track.sipfoundry.org/browse/XX-7249 >> >> What version are you running? Looking at the sipxconfig.log would likely >> reveal the issue. > We seem to be stuck. Today I have "Unable to validate certificate" in > the web ui, and nothing in the sipxconfig.log. > > We reviewed those issues and didn't really get anything out of them. > > We tried George's suggestion to rename the pem to crt, no luck. > > Any suggestions what to do or where to look next? This issue is a > showstopper for us. > > - -- > ================================================================== > Joe Micciche [email protected] > Red Hat, Inc. http://www.redhat.com > Senior Communications Engineer X(81) 44554 > +1.919.754.4554 Key: 65F90FE1 > ================================================================== > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkxRmowACgkQJHjEUGX5D+FD6wCgw9a514J71wtdczBs7dCN1XKT > PnIAn1drid8IyBTYUQHy2q0f0aieBODt > =OaGH > -----END PGP SIGNATURE----- > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
