[Freeswitch-users] Question about Exporting the cacaert.pem for client devices

Andrew Carrega acarrega at vartel.com
Mon Sep 10 17:56:33 MSD 2012 

Mitch-Is this the command to get the contents for that cafile.pem ??

openssl x509 -noout -inform pem -text -in /usr/local/freeswitch/conf/ssl/cafile.pem 

p.s. I ran this command and copies the output using Notepad and named it cafile.crt( even tries cafile.pem). Tried doubleclicking it in File Explorer to install it but I get an error (Invalid Public Key Security Object File) "this file is invalid for use as the following: Security Certificate. 

Any thoughts.

-----Original Message-----
From: Mitch Capper [mailto:mitch.capper at gmail.com] 
Sent: Monday, September 10, 2012 1:10 AM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Question about Exporting the cacaert.pem for client devices

Yes the contents of that file you do not need to convert it to a .crt it is good to go.

~Mitch

On Sat, Sep 8, 2012 at 9:01 AM, Andrew Carrega <acarrega at vartel.com> wrote:
> Hi Mitch,
> thanks for your help. You say below copy this ca.cert.pem file. 
> "that's where I am stuck" are you suggesting I can copy and paste the 
> contents from this file or "copy the file" off of the freeswitch 
> server. If you are saying copy the ca.cert.pem file off the server 
> that is where I am stuck. I can't get to that directory 
> /usr/local/freeswitch/conf/ssl/ to copy the file.  I can view the 
> contents of the ca.cert.pem file with the
>
> openssl x509 -noout -inform pem -text -in /usr/local/freeswitch/conf/ssl/CA/ca.cert.pem comand but that is all I am able to do at the moment.
>
> ________________________________________
> From: Mitch Capper [mitch.capper at gmail.com]
> Sent: Friday, September 07, 2012 10:08 PM
> To: FreeSWITCH Users Help
> Subject: Re: [Freeswitch-users] Question about Exporting the cacaert.pem for    client devices
>
> Sure so the cafile.pem should only contain a "BEGIN CERTIFICATE" and
> "END CERTIFICATE" block no PRIVATE KEY.   You can copy this file and
> most clients will expect a .crt file, you can just rename it from
> cafile.pem to ca.crt.   As for loading it into a specific client that
> will depend on the sip client.  If its a softphone it may trust any CA 
> installed in the windows certificate store, in which case you can 
> double click and open the .crt file in windows and just import it.
> Otherwise search for the phone and "server certificate" or "ca 
> certificate" and import and it should have details.
>
>
> ~Mitch
>
> On Fri, Sep 7, 2012 at 12:26 PM, Andrew Carrega <acarrega at vartel.com> wrote:
>> I followed the Freeswitch wiki for enabling tls & srtp on Freeswitch. 
>> I have it enabled on my internal and external profiles and both 
>> profiles are starting up just fine.
>>
>> I can review my certificate details with the command:
>>
>> openssl x509 -noout -inform pem -text -in 
>> /usr/local/freeswitch/conf/ssl/agent.pem
>>
>>
>>
>> I am not at this section of the wiki where it says the clients should 
>> have at least the CA root certificate.
>>
>> Clients should all have at least the CA root certificate installed 
>> onto them in order to ensure security. Without enabling chain 
>> verification (that the server certificate was issued by the approved 
>> CA) a MITM attack is possible against a client. The CA certificate is 
>> the conf/ssl/cafile.pem it contains only a certificate and clients 
>> use it to ensure the server certificate is issued by the CA.
>>
>>
>>
>> Where I am stuck is understanding how to export or download the 
>> cacert.pem from the server? I seem to don't understand the process or 
>> tools to use and I can't seem to access 
>> /usr/local/freeswitch/conf/ssl  directory or the /usr/local/freeswitch/conf/ssl/CA from root.
>>
>>
>>
>> Any help is appreciated.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _____________________________________________________________________
>> ____ Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>  
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-us
>> ers
>> http://www.freeswitch.org
>>
>
> ______________________________________________________________________
> ___ Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>  
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
> rs
> http://www.freeswitch.org

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list