Below is what I have to do to use Internal Microsoft Active Directory
Certificate authority SSL certs. Once I do this, they work perfectly. I
would love to be able to do these normally through the GUI. I'm honestly
not sure what all causes it to fail. I don't get very far in the
process. I think I got the root CA uploaded one time after changing
extensions, converting, massaging it, begging it, and more things than I
can remember. I assume at some point in my attempts to use the GUI it is
failing because it does not pass the verification. I'm not sure if I run
into the wrong certificate type issue as well. I will be more than happy
to test.
I realize that may not be the complete answer you are looking for, but
it is feedback at least.
mkdir $HOME/sslkeys
cd $HOME/sslkeys
/usr/bin/ssl-cert/gen-ssl-keys.sh --csr
Country Name (2 letter code) [] : US
State or Province Name (full name) [] : Tennessee
Locality Name (eg, city) [] : Nashville
Organization Name (eg, company) [] : DSI
Organization Unit Name (eg, section) [VoIP Services] :
Submit csr to AD certificate authority here: http://nshpwis7/certsrv/
cat pbx.tx207.sipx.voip.csr
Submit, and download as DER
openssl x509 -in pbx.tx207.sipx.voip.cer -inform DER -out
pbx.tx207.sipx.voip.crt -outform PEM
mkdir /etc/sipxpbx/ssl/old
cp -r /etc/sipxpbx/ssl/* /etc/sipxpbx/ssl/old/
cp pbx.tx207.sipx.voip.crt /etc/sipxpbx/ssl/ssl-web.crt
cp pbx.tx207.sipx.voip.key /etc/sipxpbx/ssl/ssl-web.key
cp pbx.tx207.sipx.voip.crt /etc/sipxpbx/ssl/ssl.crt
cp pbx.tx207.sipx.voip.key /etc/sipxpbx/ssl/ssl.key
rm /etc/sipxpbx/ssl/ssl.keystore
rm /etc/sipxpbx/ssl/ssl-web.keystore
cp nshpwis7.dsi-corp.netCA.crt /etc/sipxpbx/ssl/authorities
/usr/bin/ssl-cert/ca_rehash
On 5/19/2011 9:27 AM, Mircea Carasel wrote:
Hi,
With regard to XX-8779 the thing is that sipXconfig certificate
authority page for uploading certificates rejects non trusted
certificates (certificates signed by a trusted authority)
Therefore, self signed certificates does not pass validation and
cannot be uploaded
The script that we are using to verifiy certificates, verifies also if
the certificate is signed by a trusted authority (openssl -verify)
There were many discussion and most people are complaining that their
self signed certificates cannot be uploaded via sipXconfig UI
So my question is that will it be desirable to remove that additional
verification (openssl -verify)?
Feedback appreciated
Mircea
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
