[Spce-user] Configuring SSL certificates

Kevin Blackman KBLACKMA at WISEKEY.COM
Wed Mar 7 19:19:00 EST 2012


What about the Kamilio self-signed root that is used as its server certificate.
I have not changed this certificate... 
1) Is this certificate used in SIP over TLS connections? 
2) As our clients must bind to a trusted root certificate, if this is the certificate that is presented to the client over SIP/TLS, then can we change it to a trusted SSL certificate under some intermediate CAs and our publicly trusted Root certificate?
3) If yes to the above may we place all of them from SSL cert, through issuing, intermediate policy, and then Root CA, within one file in ascending order of hierarchy?
Kevin
-----Original Message-----
From: Andrew Pogrebennyk [mailto:apogrebennyk at sipwise.com] 
Sent: Wednesday, March 07, 2012 8:25 PM
To: Kevin Blackman
Cc: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Configuring SSL certificates

On 03/07/2012 07:49 PM, Kevin Blackman wrote:
> OK - this has been resolved, seems it was an issue of white space at the end of the lines in the CRT and crt files.
> The query concerning intermediate CA file config via config.yml remains open...

Please check
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

AFAIR if you the following trust heirarchy:

trusted root
  - inter 1
       - inter 2
             - server.example.com.crt

You may construct the crt file in this exact order:

cat server.example.com.crt > chain-server.example.com.crt cat inter2.crt >> chain-server.example.com.crt cat inter1.crt >> chain-server.example.com.crt

And then specify resulting file in SSLCertificateChainFile.

The apache configuration is not under templates (yet) so you can edit your httpd.conf directly.




More information about the Spce-user mailing list