Table of Contents
Create Certificates to be used with Kamailio
Creating suitable certificates for Kamailio is just as simple as configuring Apache with SSL/TLS. If you do not have certificates you can use the “openssl” tool to generate the certificates:
Creating Certificates with OpenSSL
Following example was done on a Debian Lenny installation. On other Linux distributions you may have to adopt the openssl.cnf file (e.g. /etc/ssl/openssl.cnf).
- Change the default policy to be more flexible, edit /etc/ssl/openssl.cnf (replace policy_match with policy_anything):
... # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything ...
- Make a directory to store your certificates (of course you should secure this directory to prevent unprivileged access):
mkdir /etc/certs chmod 0700 /etc/certs cd /etc/certs
- Create a self-signed CA (cartificate authority) certificate (valid for 10 years):
mkdir demoCA cd demoCA mkdir newcerts echo '01' > serial touch index.txt openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650 # Optional, verify the content of the new CA certificate: openssl x509 -in cert.pem -noout -text openssl x509 -in cert.pem -noout -dates openssl x509 -in cert.pem -noout -purpose cd ..
- Make a certificate for your SIP proxy sip.mydomain.com (create keys and a certificate signing request (CSR), then sign the CSR with the CA's certificate)
mkdir sip.mydomain.com cd sip.mydomain.com/ openssl req -new -nodes -keyout key.pem -out req.pem cd .. openssl ca -days 730 -out sip.mydomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles sip.mydomain.com/req.pem
- Make a certificate for another SIP proxy anotherdomain.com (create keys and a certificate signing request (CSR), then sign the CSR with the CA's certificate)
mkdir anotherdomain.com cd anotherdomain.com/ openssl req -new -nodes -keyout key.pem -out req.pem cd .. openssl ca -days 730 -out anotherdomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles anotherdomain.com/req.pem
- Optional, verify the content of the new certificates:
openssl x509 -in anotherdomain.com/cert.pem -noout -text openssl x509 -in sip.mydomain.com/cert.pem -noout -text
Using the Certificates with TLS
- Now you can use these certificates with Kamailio, e.g: (following snippet is for Kamailio 3.0 and 3.1)
enable_tls=1 tcp_async=no # do not include in 3.1 tcp_connection_lifetime=3610 listen=udp:<ip-address-for-receiving-sip-requests>:5060 listen=tcp:<ip-address-for-receiving-sip-requests>:5060 modparam("tls", "private_key", "/etc/certs/sip.mydomain.com/key.pem") modparam("tls", "certificate", "/etc/certs/sip.mydomain.com/cert.pem") modparam("tls", "ca_list", "/etc/certs/demoCA/cert.pem")
- If you want to have different certificates in function of the role (server or client), or who are you talking with, you need to use a separate tls config file, see http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html#config.
Using TLS and the Certificates with SIP Phones
- Further, you SIP client needs to be provisioned with to trust your self-signed CA. Depending on your SIP client there are various options how to configure, e.g.:
- eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it to the Windows certificate store (Start→Control Panel→Internet)
- QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the client PC and configure QjSimple to use this CA (“TLS CA file” and “verify TLS server certificate)
- Snom Phones: by default Snom accepts untrusted certificates, you just need to set Outbound Proxy field to “yoursipserver.com;transport=tls”.
Testing
- You can test with the openssl tools, e.g. connecting to the server without certificate validation:
# openssl s_client -connect localhost:5061 -tls1 CONNECTED(00000003) depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA verify error:num=19:self signed certificate in certificate chain verify return:0
- Connecting to the server without certificate validation:
# openssl s_client -connect localhost:5061 -tls1 -CAfile /etc/certs/demoCA/cert.pem CONNECTED(00000003) depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA verify return:1 depth=0 /C=AT/ST=Vienna/L=Vienna/O=Cheap-Call Limited/CN=sip.mydomain.com verify return:1
Example
debian:/etc# mkdir /etc/certs debian:/etc# chmod 0700 /etc/certs debian:/etc# cd /etc/certs debian:/etc/certs# mkdir demoCA debian:/etc/certs# cd demoCA debian:/etc/certs/demoCA# mkdir newcerts debian:/etc/certs/demoCA# echo '01' > serial debian:/etc/certs/demoCA# touch index.txt debian:/etc/certs/demoCA# openssl req -new -x509 -extensions v3_ca -keyout key.pem -out cert.pem -days 3650 Generating a 1024 bit RSA private key ...................................................++++++ .........................++++++ writing new private key to 'key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:Vienna Locality Name (eg, city) []:Vienna Organization Name (eg, company) [Internet Widgits Pty Ltd]:My private CA Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:My private CA Email Address []: debian:/etc/certs/demoCA# cd .. debian:/etc/certs# mkdir anotherdomain.com debian:/etc/certs# cd anotherdomain.com/ debian:/etc/certs/anotherdomain.com# openssl req -new -nodes -keyout key.pem -out req.pem Generating a 1024 bit RSA private key .....................................++++++ ..................++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:berlin-calling.com Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:berlin-calling.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: debian:/etc/certs/anotherdomain.com# cd .. debian:/etc/certs# openssl ca -days 730 -out anotherdomain.com/cert.pem -keyfile demoCA/key.pem -cert demoCA/cert.pem -infiles anotherdomain.com/req.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for demoCA/key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Sep 9 13:42:27 2010 GMT Not After : Sep 8 13:42:27 2012 GMT Subject: countryName = AT localityName = Berlin organizationName = berlin-calling.com commonName = berlin-calling.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 65:3A:F3:C0:A8:B7:1D:3C:07:82:87:AB:EA:6D:01:D9:19:20:E6:C2 X509v3 Authority Key Identifier: keyid:DD:8B:12:E5:65:71:55:E9:9C:A5:6D:11:56:02:A6:6D:6E:C1:07:D9 Certificate is to be certified until Sep 8 13:42:27 2012 GMT (730 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated debian:/etc/certs#