[OpenSIPS-Users] How to create certificates for TLS?

Podrigal, Aron aronp at guaranteedplus.com
Mon Feb 23 21:54:48 CET 2015


create the certificates and set the params to match that.

eg.
tls_certificate = "/usr/local/etc/opensips/tls/rootCA/cacert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/rootCA/private/cakey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/rootCA/cacert.pem"


On Mon, Feb 23, 2015 at 11:45 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
wrote:

> Hm, I'm not sure if I understand this. When I set "disable_tls=no" in
> configuration file, OpenSIPS complains about a missing file
>
> ERROR:core:load_private_key: unable to load private key file
> '/usr/local//etc/opensips/tls/cert.pem
>
> But "opensipsctl cootCA" does not create this file and "opensips userCERT"
> requires a username that also does not correspond to this file.
>
> 2015-02-22 13:00 GMT+01:00 Podrigal, Aron <aronp at guaranteedplus.com>:
>
>> #1 You should compile opensips with TLS=1.
>>
>> You can create those certificates with openssl and use some cipher
>> with Diffie–Hellman so that will and configure the corresponding
>> "tls_dh_params" setting in opensips config in order to use PFS.
>> opensips provides some easy commands to create certificates with *opensipsctl
>> tls <option> *where option is either rootCA | userCERT. it uses
>> <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for
>> the different type of certificates.
>>
>> Here are the settings related to tls, excerpted from the source code
>>
>> disable_tls
>> tlslog | tls_log
>> tls_port_no
>> tls_method
>> tls_verify_client
>> tls_verify_server
>> tls_require_client_certificate
>> tls_certificate
>> tls_private_key
>> tls_ca_list
>> tls_ca_dir
>> tls_dh_params
>> tls_ec_curve
>> tls_ciphers_list
>> tls_handshake_timeout
>> tls_send_timeout
>> tls_server_domain
>> tls_client_domain
>> tls_client_domain_avp
>>
>>
>> On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> in opensips.cfg there is a section after the "disable_tls" option where
>>> some certificates and keys need to be configured which do not exist by
>>> default:
>>>
>>> tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem
>>> tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem
>>> tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem
>>>
>>> My question: how can I create these data correctly in order to have TLS
>>> connection to server? And is there a possibility to use perfect forward
>>> secrecy?
>>>
>>> Thanks!
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150223/ba237270/attachment.htm>


More information about the Users mailing list