[Freeswitch-users] FreeSWITCH TLS with StartSSL Certificate
sunsus
patrick at sunsus.net
Mon Jun 4 13:24:03 MSD 2012
Hello
To day I tried to add a Free StartSSL Class 1 Certificate to a FreeSWITCH
installation. Here I will share the script on how to generate the
Certificate Request:
#!/bin/sh
CONFDIR=/usr/local/freeswitch/conf/ssl
DAYS=2190
KEY_SIZE=2048
TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
COMMON_NAME="FrwwSWICH VOIP"
ALT_NAME="DNS:sip.freeswitch.org"
ORG_NAME="FreeSWICHT"
OUTFILE="agent.pem"
umask 037
generate_request() {
local val=""
echo "Generating new request..."
echo
echo "--------------------------------------------------------"
echo "CN: \"${COMMON_NAME}\""
echo "ORG_NAME: \"${ORG_NAME}\""
echo "ALT_NAME: \"${ALT_NAME}\""
echo
echo "Certificate filename \"${OUTFILE}\""
echo
echo "[Is this OK? (y/N)]"
read val
if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
echo "Aborted"
return 2
fi
sed \
-e "s|%CN%|$COMMON_NAME|" \
-e "s|%ALTNAME%|$ALT_NAME|" \
-e "s|%ORG%|$ORG_NAME|" \
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
echo ${KEY_SIZE}
openssl req -new -out "${TMPFILE}.req" \
-newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
echo
cat ${TMPFILE}.req
echo
echo "go to http://www.startssl.com/ and generate a certificate"
echo "past certificate:"
while read LINE
do
echo $LINE >> ${TMPFILE}.crt
if [ "$LINE" = "^A" ];then
break
fi
done
echo "other processing continues "
# openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA
"${CONFDIR}/CA/cacert.pem" -CAcreateserial \
# -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
# -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
wget http://www.startssl.com/certs/ca.pem
cat sub.class1.server.ca.pem ca.pem >> ${CONFDIR}/cafile.pem
rm -f sub.class1.server.ca.pem ca.pem
rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
echo "DONE"
}
remove_startssl() {
echo "Removing StartSSL"
if [ -d "${CONFDIR}/agent.pem" ]; then
rm "${CONFDIR}/agent.pem"
fi
echo "DONE"
}
OUTFILESET="0"
command="$1"
shift
while [ $# -gt 0 ]; do
case $1 in
-cn)
shift
COMMON_NAME="$1"
;;
-alt)
shift
ALT_NAME="$1"
;;
-org)
shift
ORG_NAME="$1"
;;
-out)
shift
OUTFILE="$1"
OUTFILESET="1"
;;
-days)
shift
DAYS="$1"
;;
esac
shift
done
case ${command} in
create_request)
EXTENSIONS="request"
generate_request
;;
remove)
echo "Are you sure you want to delete the StartSSL Certificate? [YES to
delete]"
read val
if [ "${val}" = "YES" ]; then
remove_startssl
else
echo "Not deleting CA"
fi
;;
*)
cat <<-EOF
$0 <create_request|remove> [options]
* commands:
remove - Remove StartSSL
create_request - Create a new certificate request for startSSL
* options:
-cn Set common name
-alt Set alternative name (use prefix 'DNS:' or 'URI:')
-org Set organization name
-out Filename for new certificate (create only)
-days Certificate expires in X days (default: 365)
EOF
exit 1
;;
esac
Everything seams to work, expect the validation of a SNOM phone. Does any
one know how to tell FreeSWITCH to publish the correct ca bundel and
certificate track. Because the CA Certificate of Start SSL is included in
the SNOM:
regards
Patrick
--
View this message in context: http://freeswitch-users.2379917.n2.nabble.com/FreeSWITCH-TLS-with-StartSSL-Certificate-tp7579377.html
Sent from the freeswitch-users mailing list archive at Nabble.com.
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list