<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Success! I guess I hadn't reloaded one of the profiles recently, but my spa112 registers now. <div><br></div><div>The setup that works is #2 from the previous email:</div><div><br></div><div>Follow directions at the following link: <a href="https://supportforums.cisco.com/docs/DOC-9852">https://supportforums.cisco.com/docs/DOC-9852</a>. Then...</div><div>cat `file.crt` `file.key` > agent.pem<br>cp `combinedca.crt` cafile.pem</div><div><br></div><div>And in the sip profile you need to use sslv23 not tlsv1. </div><div><div><param name="tls-version" value=sslv23"/></div></div><div><br></div><div><div>I updated the interop list on the wiki with that info too.</div><div><br></div><div>Nick </div><div><br><div><div>On Sep 28, 2013, at 6:46 PM, Nick Vines <<a href="mailto:jnvines@gmail.com">jnvines@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Turns out there isn't a way to load any cert onto the spa112, and its logging it not helpful at all. I'm still at a loss of how to get it to work.<br><br>I got https provisioning working with the devices, so perhaps I can reuse some of those files. I haven't been able to figure out what agent.pem/cafile.pem combination to use though.<br><br>For getting the spa112 to work with https provisioning, I did the following:<br>1. (on server, private key) openssl genrsa -out <file.key> 1024<br>2. (on server, generate cert request) openssl req -new -key <file.key> -out <file.csr><br>3. sent the `file.csr` to cisco and they sent back a `file.crt` with the signed certificate.<br>4. cisco also sent back a combinedca.crt with many certificates in that file.<br><br>In my apache virtual host I put<br>#Server Cert<br>SSLCertificateFile .../file.crt<br><br>#Server Private Key:<br>SSLCertificateKeyFile .../file.key<br><br>#Client authentication Certificate Authority (CA)<br>SSLVerifyClient require<br>SSLCACertificatePath .../path/<br>SSLCACertificateFile .../path/combinedca.crt<br><br><br>I have tried the following, but neither worked. <br><br>1)<br>cat `file.crt` `file.key` > agent.pem<br>cp `file.crt` cafile.pem<br><br>2)<br>cat `file.crt` `file.key` > agent.pem<br>cp `combinedca.crt` cafile.pem<br><br><br>Any suggestions on how I might use those files to make a TLS profile for the cisco devices? <br><br>Thanks,<br>Nick <br><br>On Sep 23, 2013, at 12:40 PM, Brian West <<a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a>> wrote:<br><br><blockquote type="cite">Did you load your CA cert into the SPA? If not then that could be a problem too.. crank up its logging and see what its getting mad about.<br><br><br>On Sep 23, 2013, at 10:28 AM, Nick Vines <<a href="mailto:jnvines@gmail.com">jnvines@gmail.com</a>> wrote:<br><br><blockquote type="cite">Thanks Brian. <br><br>I couldn't find an earlier version of the gentls in git, but I'm still new to git. I tried modifying gentls to use rsa:1024 instead of ec, but I'm still getting the same error messages in the sofia log when the SPA112 tries to connect. FSClient connects with both rsa:1024 and rsa:2048, but I haven't tried to connect any other devices to the server. <br><br>Changes made to gentls_cert:<br>setup_ca():<br> openssl req -out "${CONFDIR}/CA/cacert.pem" -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" -newkey rsa:1024 -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1<br><br>generate_cert():<br> openssl req -new -out "${TMPFILE}.req" -newkey rsa:1024 -keyout "${TMPFILE}.key" -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1<br><br></blockquote><br><br><br>--<br>Brian West<br><a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a><br>FreeSWITCH Solutions, LLC<br>PO BOX PO BOX 2531<br>Brookfield, WI 53008-2531<br>Twitter: @FreeSWITCH_Wire , @briankwest<br>http://www.freeswitchbook.com<br>http://www.freeswitchcookbook.com<br><br>T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST<br>iNUM: +883 5100 1420 9001<br>ISN: 410*543<br>Skype:briankwest<br>PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)<br><br><br><br><br><br><br><br><br><br><br><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br>consulting@freeswitch.org<br>http://www.freeswitchsolutions.com<br><br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>http://www.cudatel.com<br><br>Official FreeSWITCH Sites<br>http://www.freeswitch.org<br>http://wiki.freeswitch.org<br>http://www.cluecon.com<br><br>FreeSWITCH-users mailing list<br>FreeSWITCH-users@lists.freeswitch.org<br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></blockquote><br></blockquote></div><br></div></div></body></html>