[Freeswitch-users] So you wanna setup your own CA for WSS/SSL/TLS?

Nandy Dagondon nandy1925 at gmail.com
Wed Jul 1 07:52:11 MSD 2015


Hi Brian,

I used your script to generate the certificates to test mod_verto in an
intranet setup. Questions on your script:

1) Is 4096 bits required? Or 2048 bits will work, too?
2) Examining certs/wss.pem, there should be a  <chain> certificate at the
end. But the script, inputs only 2 - *.crt and *.key. What should be the
3rd?

Tks,
/Nandy


On Sat, Jul 26, 2014 at 2:59 AM, Brian West <brian at freeswitch.org> wrote:

> I've corrected the how-to and put it in tree:
>
>
> https://stash.freeswitch.org/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt?raw
>
> Importing the ca.crt into your system keychain for it to be trusted is
> left to the end user to figure out.  If you can't do that step then you'll
> kinda be SOL, I know on my Mac I just open ca.crt and it does the import
> for me... Windows I suspect is similar as for Linux NO CLUE.
>
>
> On Fri, Jul 25, 2014 at 1:53 PM, William King <
> william.king at quentustech.com> wrote:
>
>> One correction inline, and did you have any luck getting chrome to work
>> with the custom CA?
>>
>> William King
>> Senior Engineer
>> Quentus Technologies, INC
>> 1037 NE 65th St Suite 273
>> Seattle, WA 98115
>> Main:   (877) 211-9337
>> Office: (206) 388-4772
>> Cell:   (253) 686-5518
>> william.king at quentustech.com
>>
>> On 07/25/2014 08:12 AM, Brian West wrote:
>> > Someone should probably turn this into a nice how-to:
>> >
>> > Here is how I did it.
>> >
>> > wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
>> > tar zxfv ssl.ca-0.1.tar.gz
>> > cd ssl.ca-0.1/
>> > perl -i -pe 's/md5/sha1/g' *.sh
>> > perl -i -pe 's/2048/2048/g' *.sh
>> This is a noop. I assume it was suppose to be /2048/4096/ or /1024/2048/
>> > ./new-root-ca.sh
>> > ./new-server-cert.sh self.bkw.org <http://self.bkw.org>
>> > ./sign-server-cert.sh self.bkw.org <http://self.bkw.org>
>> > cat self.bkw.org.crt self.bkw.org.key >
>> /usr/local/freeswitch/certs/wss.pem
>> >
>> > Setup Apache:
>> >
>> > default-ssl:
>> >
>> > SSLCertificateFile    /usr/local/freeswitch/certs/wss.pem
>> > SSLCertificateKeyFile /usr/local/freeswitch/certs/wss.pem
>> > SSLCertificateChainFile /usr/local/freeswitch/certs/wss.pem
>> >
>> > Setup Sofia TLS:
>> >
>> > cat self.bkw.org.crt self.bkw.org.key >
>> > /usr/local/freeswitch/certs/agent.pem
>> > cat ca.crt > /usr/local/freeswitch/certs/cafile.pem
>> >
>> > vars.xml:
>> >
>> > <X-PRE-PROCESScmd="set"data="internal_ssl_enable=true"/>
>> > <X-PRE-PROCESScmd="set"data="external_ssl_enable=true"/>
>> >
>> > Restart FreeSWITCH.
>> >
>> > Now make sure your system has ca.crt imported so it will trust your new
>> > found hotness.
>> >
>> > TEST:
>> >
>> > openssl s_client -connect self.bkw.org:443 <http://self.bkw.org:443>
>> > openssl s_client -connect self.bkw.org:8082 <http://self.bkw.org:8082>
>> >
>> >
>> > Depending on what you've setup you'll see:
>> >
>> > subject=/C=US/ST=Oklahoma/L=McAlester/O=Tonka Truck/OU=Secure Web
>> > Server/CN=self.bkw.org/emailAddress=brian at bkw.org
>> > <http://self.bkw.org/emailAddress=brian@bkw.org>
>> >
>> > issuer=/C=US/ST=Oklahoma/L=McAlester/O=Whizzzzzzy Bang
>> > Bang/OU=Certification Services Division/CN=WBB Root
>> > CA/emailAddress=brian at bkw.org <mailto:brian at bkw.org>
>> >
>> > Or there abouts.
>> >
>> > --
>> >
>> > */Brian West/*
>> > brian at freeswitch.org <mailto:brian at freeswitch.org>
>> >
>> >
>> > */Twitter: @FreeSWITCH , @briankwest/*
>> > http://www.freeswitchbook.com
>> > http://www.freeswitchcookbook.com
>> >
>> > *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> > *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>> > http://www.cudatel.com
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>> http://www.cudatel.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
> http://www.cudatel.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150701/4f50b5fc/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list