On 10/7/2010 8:34 AM, Geoff Van Brunt wrote: > I just did this yesterday in fact. I never could get the web gui > working, except for the CA certs. That required exporting in base-64 > format and then changing the file extension to crt from cer, otherwise > they won't upload. I haven't gotten around to checking the tracker if an > issue has been created or not yet. > > At that point I had a heck of a time trying to get the certs updated. I > did this: > > mkdir $HOME/sslkeys > cd $HOME/sslkeys > /usr/bin/ssl-cert/gen-ssl-keys.sh > > I used the csr to generate a cert in our AD CA. One thing I had to do > was create a custom template. The regular Web Server cert was only for > Server Authentication purposes. The cert is also used in a client > fashion by TLS so you need to duplicate the Computer template and change > the security so only Admins can create the cert. Also you need to change > Subject Name tab to "Supply in Request" so you can obtain from the web > interface. > This is driving me absolutely crazy. I have built several 4.2.1 servers with manual ssl cert installation. All of the sudden, I'm having the exact same problem you mention above. I have no idea why. See below for my error message. I have always selected web server template, but for some reason I have this issue now on a new server. The issued cert appears identical to the other ones that are working. This is not entirely a sipx question, but it is related and could help someone I suppose. By any chance is your cert server 2003 standard? I created the new template, but I can't seem to figure out how to publish the template. I've come across a few posts indicating it may need to be 2003 enterprise or 2008 r2. Any other ideas how I can resolve this?
[r...@pbx ssl]# service sipxecs start Checking bootstrap setup: [ OK ] Checking TLS/SSL configuration: [FAILED] sipXpbx: sipXpbx: sipXpbx configuration problems found: sipXpbx: sipXpbx: Check TLS/SSL configuration sipXpbx: Invalid as client certificate. sipXpbx: /etc/sipxpbx/ssl/ssl.crt: /C=US/ST=Tennessee/L=Nashville/O=DSI/OU=VoIP Services/CN=pbx.in223.sipx.voip/[email protected] sipXpbx: error 26 at 0 depth lookup:unsupported certificate purpose sipXpbx: OK sipXpbx: SSL certificates: /etc/sipxpbx/ssl/ssl.crt sipXpbx: Check failed for /etc/sipxpbx/ssl/ssl.crt > Copy the certs back to the sslkeys directory. Copy the crt and key files > to //etc/sipxpbx/ssl. Rename them to ssl.crt and ssl.key. Copy them one > more time and rename to ssl-web.crt and ssl-web.key. > Delete the .keystore files. They no longer need to be generated by hand > as SipX does it on startup if they are missing. > > Copy and CA and intermediate files to //etc/sipxpbx/ssl/authorities. > /usr/bin/ssl-cert/ca_rehash > > Type "service sipxecs stop" > Type "service sipxecs start" > > That got me a working server. > > That was mostly due to the information you provided previously (thank > you) so I'm glad to give back. If you ever figure out how to upload via > the gui, let me know. I tired with the key and cert that I manually > generated and signed and it did not work even with the proper CA certs > already uploaded... > > Geoff Van Brunt > IT Manager > DST Consulting Engineers > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
