On Thu, May 19, 2011 at 5:41 PM, Matthew Kitchin (public/usenet) < [email protected]> wrote:
> Below is what I have to do to use Internal Microsoft Active Directory > Certificate authority SSL certs. Once I do this, they work perfectly. I > would love to be able to do these normally through the GUI. I'm honestly not > sure what all causes it to fail. I don't get very far in the process. I > think I got the root CA uploaded one time after changing extensions, > converting, massaging it, begging it, and more things than I can remember. I > assume at some point in my attempts to use the GUI it is failing because it > does not pass the verification. I'm not sure if I run into the wrong > certificate type issue as well. I will be more than happy to test. > I realize that may not be the complete answer you are looking for, but it > is feedback at least. > > mkdir $HOME/sslkeys > cd $HOME/sslkeys > /usr/bin/ssl-cert/gen-ssl-keys.sh --csr > > Country Name (2 letter code) [] : US > State or Province Name (full name) [] : Tennessee > Locality Name (eg, city) [] : Nashville > Organization Name (eg, company) [] : DSI > Organization Unit Name (eg, section) [VoIP Services] : > > Submit csr to AD certificate authority here: http://nshpwis7/certsrv/ > cat pbx.tx207.sipx.voip.csr > Submit, and download as DER > > openssl x509 -in pbx.tx207.sipx.voip.cer -inform DER -out > pbx.tx207.sipx.voip.crt -outform PEM > > Thanks. Up to this point it looks good. Once you have the PEM format certificate generated : pbx.tx207.sipx.voip.crt can you please run openssl --verify to check the validity of your certificate, and then to upload it using UI? Once uploaded using UI, the below steps are not necessary. sipXconfig will regenerate hash, copy certificate into keystore for you Let me know if will work for you mkdir /etc/sipxpbx/ssl/old > cp -r /etc/sipxpbx/ssl/* /etc/sipxpbx/ssl/old/ > > cp pbx.tx207.sipx.voip.crt /etc/sipxpbx/ssl/ssl-web.crt > cp pbx.tx207.sipx.voip.key /etc/sipxpbx/ssl/ssl-web.key > cp pbx.tx207.sipx.voip.crt /etc/sipxpbx/ssl/ssl.crt > cp pbx.tx207.sipx.voip.key /etc/sipxpbx/ssl/ssl.key > > rm /etc/sipxpbx/ssl/ssl.keystore > rm /etc/sipxpbx/ssl/ssl-web.keystore > > cp nshpwis7.dsi-corp.netCA.crt /etc/sipxpbx/ssl/authorities > /usr/bin/ssl-cert/ca_rehash > > The most important thing is to document clear steps that every user can follow to create their own certificate and upload it through UI Thanks, Mircea > > On 5/19/2011 9:27 AM, Mircea Carasel wrote: > > Hi, > > With regard to XX-8779 the thing is that sipXconfig certificate authority > page for uploading certificates rejects non trusted certificates > (certificates signed by a trusted authority) > Therefore, self signed certificates does not pass validation and cannot be > uploaded > > The script that we are using to verifiy certificates, verifies also if the > certificate is signed by a trusted authority (openssl -verify) > > There were many discussion and most people are complaining that their self > signed certificates cannot be uploaded via sipXconfig UI > > So my question is that will it be desirable to remove that additional > verification (openssl -verify)? > > Feedback appreciated > > Mircea > > > _______________________________________________ > sipx-users mailing [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
