[Freeswitch-users] Question about Exporting the cacaert.pem for client devices

Mitch Capper mitch.capper at gmail.com
Mon Sep 10 09:10:16 MSD 2012


Yes the contents of that file you do not need to convert it to a .crt
it is good to go.

~Mitch

On Sat, Sep 8, 2012 at 9:01 AM, Andrew Carrega <acarrega at vartel.com> wrote:
> Hi Mitch,
> thanks for your help. You say below copy this ca.cert.pem file. "that's where I am stuck" are you suggesting I can copy and paste the contents from this file or "copy the file" off of the freeswitch server. If you are saying copy the ca.cert.pem file off the server that is where I am stuck. I can't get to that directory /usr/local/freeswitch/conf/ssl/ to copy the file.  I can view the contents of the ca.cert.pem file with the
>
> openssl x509 -noout -inform pem -text -in /usr/local/freeswitch/conf/ssl/CA/ca.cert.pem comand but that is all I am able to do at the moment.
>
> ________________________________________
> From: Mitch Capper [mitch.capper at gmail.com]
> Sent: Friday, September 07, 2012 10:08 PM
> To: FreeSWITCH Users Help
> Subject: Re: [Freeswitch-users] Question about Exporting the cacaert.pem for    client devices
>
> Sure so the cafile.pem should only contain a "BEGIN CERTIFICATE" and
> "END CERTIFICATE" block no PRIVATE KEY.   You can copy this file and
> most clients will expect a .crt file, you can just rename it from
> cafile.pem to ca.crt.   As for loading it into a specific client that
> will depend on the sip client.  If its a softphone it may trust any CA
> installed in the windows certificate store, in which case you can
> double click and open the .crt file in windows and just import it.
> Otherwise search for the phone and "server certificate" or "ca
> certificate" and import and it should have details.
>
>
> ~Mitch
>
> On Fri, Sep 7, 2012 at 12:26 PM, Andrew Carrega <acarrega at vartel.com> wrote:
>> I followed the Freeswitch wiki for enabling tls & srtp on Freeswitch. I have
>> it enabled on my internal and external profiles and both profiles are
>> starting up just fine.
>>
>> I can review my certificate details with the command:
>>
>> openssl x509 -noout -inform pem -text -in
>> /usr/local/freeswitch/conf/ssl/agent.pem
>>
>>
>>
>> I am not at this section of the wiki where it says the clients should have
>> at least the CA root certificate.
>>
>> Clients should all have at least the CA root certificate installed onto them
>> in order to ensure security. Without enabling chain verification (that the
>> server certificate was issued by the approved CA) a MITM attack is possible
>> against a client. The CA certificate is the conf/ssl/cafile.pem it contains
>> only a certificate and clients use it to ensure the server certificate is
>> issued by the CA.
>>
>>
>>
>> Where I am stuck is understanding how to export or download the cacert.pem
>> from the server? I seem to don’t understand the process or tools to use and
>> I can’t seem to access /usr/local/freeswitch/conf/ssl  directory or the
>> /usr/local/freeswitch/conf/ssl/CA from root.
>>
>>
>>
>> Any help is appreciated.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org



Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list