System information
certificates. The first invocation of ast_tls_cert will generate the CA cert and the server
cert for serverA. The second invocation of ast_tls_cert will generate the server cert for
serverB:
$ cd contrib/scripts
$ mkdir certs
$ ./ast_tls_cert -d certs -C serverA -o serverA
$ ./ast_tls_cert -d certs -C serverB -o serverB -c certs/ca.crt -k certs/ca.key
$ ls certs
ca.cfg ca.crt ca.key serverA.crt serverA.csr serverA.key serverA.pem
serverB.crt serverB.csr serverB.key serverB.pem tmp.cfg
Now that the certificates have been created, they need to be moved to the appropriate
locations on serverA and serverB. We will use the /var/lib/asterisk/keys/ directory to
hold the certificates. Move the following files to serverA:
• ca.crt
• serverA.pem
And move these files to serverB:
• ca.crt
• serverB.pem
With the certificates in place, we can complete the Asterisk configuration. We need to
point Asterisk to the server certificate that we just created. Since we’re using self-signed
certificates, we also need to point to the CA certificate. In the [general] section of /etc/
asterisk/sip.conf on serverA, add these options:
[general]
tlscertfile = /var/lib/asterisk/keys/serverA.pem
tlscafile = /var/lib/asterisk/keys/ca.crt
Make the same changes to sip.conf on serverB:
[general]
tlscertfile = /var/lib/asterisk/keys/serverB.pem
tlscafile = /var/lib/asterisk/keys/ca.crt
When you create the server certificates, the Common Name field must
match the hostname of the server. If you use the ast_tls_cert script, this
is the value given to the -C option. If there is a problem verifying the
server certificate when you make a call, you may need to fix the Common
Name field. Alternatively, for the sake of testing you can set the tlsdont
verifyserver option to yes in the [general] section of /etc/asterisk/
sip.conf, and Asterisk will allow the call to proceed even if it fails veri-
fication of the server certificate.
In “Connecting two Asterisk systems together with SIP” on page 147, we created the
configuration necessary to pass calls between serverA and serverB. We are now going
VoIP | 151