On Thu, Oct 14, 2010 at 4:51 AM, Staffan Kerker <[email protected]>wrote:
> Hi > > I need some clarifications how the TLS certificates are used in SipX. I'm > not to familiar with this so please be kind =) > > On installation SipX creates a keypair and sets up an internal CA to sign > the certificate. This certificate is used by the Web-interface > and internal services and the internal CA is shown in the > "Certificates"->"Certificate Authorities" in SipX. > > Now, if I wanna use a trusted CA. I use the webgui to create a CSR and send > this to the CA for signing. I get a signed certificate > back that I now can install using the "Import Web Certficiate" option in > the SipX GUI. After restart of some services I see that the > Web-gui now uses the certificate signed by the trusted CA. Fine so far. > > The internal CA, can I remove that one now? I tried it and all services > started failing... =) Is it still used internally for the services? > YES. It is used for sipx. A bad or expired internal certificate will keep services from starting. The external certificate you installed is to remove the "not a valid "real" certificate browser nag. > > I want to start using TLS on the SipXBridge SIPtrunk and want to use the > certificate signed by the trusted CA, so I guess it's the trusted CA:s root > certificate that I should install in the TLS peer? (as well as installing > the peers CA cert in SipX using the "Import" option on the "Certificate > Authorities" section of the Web GUI) > I think that needs a wiki article. You also need to make sure you have a _sip._tls DNS SRV record pointing to the port (default) 5061 and that your firewall (if the peer is across the internet) allows and nat's it. I've been meaning to get a tracker on DNS, going forward sipx needs to generate that record by default and probably an A record for the domain (judging by logs getting cut in the proxy in the dev version). You use the self assigned cert in the TLS. http://wiki.sipfoundry.org/display/xecsuserV4r2/Using+TLS > > /Staffan > > > -- > Staffan Kerker > mail/sip/xmpp: [email protected] > > "There is absolutely no money above the 5th fret..." /Donald "Duck" Dunn > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.326.5325 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
