[Freeswitch-users] Question about Exporting the cacaert.pem for client devices
Andrew Carrega
acarrega at vartel.com
Sat Sep 8 20:01:53 MSD 2012
Hi Mitch,
thanks for your help. You say below copy this ca.cert.pem file. "that's where I am stuck" are you suggesting I can copy and paste the contents from this file or "copy the file" off of the freeswitch server. If you are saying copy the ca.cert.pem file off the server that is where I am stuck. I can't get to that directory /usr/local/freeswitch/conf/ssl/ to copy the file. I can view the contents of the ca.cert.pem file with the
openssl x509 -noout -inform pem -text -in /usr/local/freeswitch/conf/ssl/CA/ca.cert.pem comand but that is all I am able to do at the moment.
________________________________________
From: Mitch Capper [mitch.capper at gmail.com]
Sent: Friday, September 07, 2012 10:08 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Question about Exporting the cacaert.pem for client devices
Sure so the cafile.pem should only contain a "BEGIN CERTIFICATE" and
"END CERTIFICATE" block no PRIVATE KEY. You can copy this file and
most clients will expect a .crt file, you can just rename it from
cafile.pem to ca.crt. As for loading it into a specific client that
will depend on the sip client. If its a softphone it may trust any CA
installed in the windows certificate store, in which case you can
double click and open the .crt file in windows and just import it.
Otherwise search for the phone and "server certificate" or "ca
certificate" and import and it should have details.
~Mitch
On Fri, Sep 7, 2012 at 12:26 PM, Andrew Carrega <acarrega at vartel.com> wrote:
> I followed the Freeswitch wiki for enabling tls & srtp on Freeswitch. I have
> it enabled on my internal and external profiles and both profiles are
> starting up just fine.
>
> I can review my certificate details with the command:
>
> openssl x509 -noout -inform pem -text -in
> /usr/local/freeswitch/conf/ssl/agent.pem
>
>
>
> I am not at this section of the wiki where it says the clients should have
> at least the CA root certificate.
>
> Clients should all have at least the CA root certificate installed onto them
> in order to ensure security. Without enabling chain verification (that the
> server certificate was issued by the approved CA) a MITM attack is possible
> against a client. The CA certificate is the conf/ssl/cafile.pem it contains
> only a certificate and clients use it to ensure the server certificate is
> issued by the CA.
>
>
>
> Where I am stuck is understanding how to export or download the cacert.pem
> from the server? I seem to don’t understand the process or tools to use and
> I can’t seem to access /usr/local/freeswitch/conf/ssl directory or the
> /usr/local/freeswitch/conf/ssl/CA from root.
>
>
>
> Any help is appreciated.
>
>
>
>
>
>
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list