[Freeswitch-users] FreeSWITCH TLS with StartSSL Certificate

Brian West brian at freeswitch.org
Sun Jul 8 23:34:00 MSD 2012 

You should post this on Jira so we can document and integrate this properly.
--
Brian West
brian at freeswitch.org
FreeSWITCH Solutions, LLC
PO BOX PO BOX 2531
Brookfield, WI 53008-2531
Twitter: @FreeSWITCH_Wire
T: +1.918.420.9266  |  F: +1.918.420.9267  |  M: +1.918.424.WEST
iNUM: +883 5100 1420 9266
UK: +44 20 3298 4900




On Jun 4, 2012, at 4:24 AM, sunsus wrote:

> Hello 
> 
> To day I tried to add a Free StartSSL Class 1 Certificate to a FreeSWITCH
> installation. Here I will share the script on how to generate the
> Certificate Request: 
> 
> 
> #!/bin/sh
> 
> CONFDIR=/usr/local/freeswitch/conf/ssl
> DAYS=2190
> KEY_SIZE=2048
> 
> TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
> 
> COMMON_NAME="FrwwSWICH VOIP"
> ALT_NAME="DNS:sip.freeswitch.org"
> ORG_NAME="FreeSWICHT"
> OUTFILE="agent.pem"
> 
> umask 037
> 
> generate_request() {
>    local val=""
> 
>    echo "Generating new request..."
> 
>    echo
>    echo "--------------------------------------------------------"
>    echo "CN: \"${COMMON_NAME}\""
>    echo "ORG_NAME: \"${ORG_NAME}\""
>    echo "ALT_NAME: \"${ALT_NAME}\""
>    echo
>    echo "Certificate filename \"${OUTFILE}\""
>    echo
>    echo "[Is this OK? (y/N)]"
>    read val
>    if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
>        echo "Aborted"
>        return 2
>    fi
> 
>    sed \
>        -e "s|%CN%|$COMMON_NAME|" \
>        -e "s|%ALTNAME%|$ALT_NAME|" \
>        -e "s|%ORG%|$ORG_NAME|" \
>        "${CONFDIR}/CA/config.tpl" \
>> "${TMPFILE}.cfg" || exit 1
> 
> 
>    echo ${KEY_SIZE}
>        openssl req -new -out "${TMPFILE}.req" \
>            -newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
>            -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
> 
>    echo
>    cat ${TMPFILE}.req
>    echo
>    echo "go to http://www.startssl.com/ and generate a certificate"
>    echo "past certificate:"
>    while read LINE
>        do
>        echo $LINE >> ${TMPFILE}.crt
>        if [ "$LINE" = "^A" ];then
>            break
>        fi
>    done
>    echo "other processing continues "
> 
> # openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA
> "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
> # -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
> # -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
>    cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
> 
>    wget http://www.startssl.com/certs/sub.class1.server.ca.pem
>    wget http://www.startssl.com/certs/ca.pem
>    cat sub.class1.server.ca.pem ca.pem >> ${CONFDIR}/cafile.pem
>    rm -f sub.class1.server.ca.pem ca.pem
>    rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
> 
>    echo "DONE"
> }
> 
> 
> remove_startssl() {
> 	echo "Removing StartSSL"
> 
> 	if [ -d "${CONFDIR}/agent.pem" ]; then
> 		rm "${CONFDIR}/agent.pem"
> 	fi
> 
> 	echo "DONE"
> }
> OUTFILESET="0"
> command="$1"
> shift
> 
> while [ $# -gt 0 ]; do
> 	case $1 in
> 		-cn)
> 			shift
> 			COMMON_NAME="$1"
> 			;;
> 		-alt)
> 			shift
> 			ALT_NAME="$1"
> 			;;
> 		-org)
> 			shift
> 			ORG_NAME="$1"
> 			;;
> 		-out)
> 			shift
> 			OUTFILE="$1"
> 			OUTFILESET="1"
> 			;;
> 		-days)
> 			shift
> 			DAYS="$1"
> 			;;
> 	esac
> 	shift
> done
> 
> 
> case ${command} in
>    create_request)
>        EXTENSIONS="request"
>        generate_request
>        ;;
> 
> 	remove)
> 		echo "Are you sure you want to delete the StartSSL Certificate? [YES to
> delete]"
> 		read val
> 		if [ "${val}" = "YES" ]; then
> 			remove_startssl
> 		else
> 			echo "Not deleting CA"
> 		fi
> 		;;
> 
> 	*)
> 		cat <<-EOF
> 		$0 <create_request|remove> [options]
> 
> 		  * commands:
> 
> 		    remove - Remove StartSSL
> 
>            create_request - Create a new certificate request for startSSL
> 
> 		  * options:
> 
> 		   -cn       Set common name
> 		   -alt      Set alternative name (use prefix 'DNS:' or 'URI:')
> 		   -org      Set organization name
> 		   -out      Filename for new certificate (create only)
> 		   -days     Certificate expires in X days (default: 365)
> 
> 		EOF
> 		exit 1
> 		;;
> esac
> 
> 
> Everything seams to work, expect the validation of a SNOM phone. Does any
> one know how to tell FreeSWITCH to publish the correct ca bundel and
> certificate track. Because the CA Certificate of Start SSL is included in
> the SNOM:
> 
> regards
> 
> Patrick 
> 
> --
> View this message in context: http://freeswitch-users.2379917.n2.nabble.com/FreeSWITCH-TLS-with-StartSSL-Certificate-tp7579377.html
> Sent from the freeswitch-users mailing list archive at Nabble.com.
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> Join Us At ClueCon - Aug 7-9, 2012
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120708/b1a29a56/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list