<div dir="ltr"><div>They would have to appoint your cert as a CA(certificate authority) for you to be able to use it to issue client certificates. The best option is to use your own CA and just install your CA cert onto the devices (as you would already be installing client certs on devices this shouldn't be too hard).<br><br></div>~Mitch<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 3, 2015 at 4:18 PM, Rajil Saraswat <span dir="ltr"><<a href="mailto:rajil.s@gmail.com" target="_blank">rajil.s@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I would like to use a commercial certificate to generate client<br>
certificates for my TLS sip clients. I have received the following<br>
files for my server from PositiveSSL<br>
<br>
Root CA Certificate - AddTrustExternalCARoot.crt<br>
Intermediate CA Certificate - COMODORSAAddTrustCA.crt<br>
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt<br>
Your PositiveSSL Certificate - myserver_dyndns_org.crt<br>
<br>
<br>
I did the following to create the files in freeswitch/conf/ssl<br>
<br>
a) cat myserver.key myserver_dyndns_org.crt>agent.pem<br>
b) cat COMODORSADomainValidationSecureServerCA.crt<br>
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cafile.pem<br>
<br>
<br>
Testing the server works:<br>
openssl s_client -showcerts -connect <a href="http://myserver.dyndns.org:5061" target="_blank">myserver.dyndns.org:5061</a><br>
<br>
*****SNIP****<br>
Server certificate<br>
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=<a href="http://myserver.dyndns.org" target="_blank">myserver.dyndns.org</a><br>
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA<br>
Limited/CN=COMODO RSA Domain Validation Secure Server CA<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 6108 bytes and written 442 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
*****SNIP******<br>
<br>
How do i create the certificates for the clients now?<br>
<br>
Thanks<br>
Rajil<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div>