Generating SSL/TLS certificates for SIP agents and proxies

Prerequisites

The openssl v0.96 or higher must be installed to create the certificates.

To generate the random seed file

$ tport_rand tls_seed.dat

To generate the root authority certificate

$ make_root_cert.pl \
     -cn <root common name>\
     -dns <comma separated list of root dns names>\
    [-prefix <prefix for the generated files> (default root)]\
    [-rand <random seed file> (default tls_seed.dat)]
 This command will generate files <prefix>key.pem (root private key), <prefix>cert.pem (root certificate) and <prefix>.pem (combination of the key and the certificate). The latter file will be used to sign the node certificates.

To generate a certificate for a single node (user agent or proxy)

$ make_node_cert.pl \
     -cn <node common name>\
     -dns <comma separated list of node dns names>\
    [-ca <cafile> (default root.pem)]\
    [-prefix <prefix for the generated files> (default agent)]\
    [-rand <random seed file> (default tls_seed.dat)]
This command will generate files <prefix>key.pem (node private key), <prefix>cert.pem (node certificate) and <prefix>.pem (combination of the key and the certificate). The certificate has been signed with ca certificate contained in <cafile>.

Installing the certificates to the nodes

  1. Copy the root certificate file (rootcert.pem by default - not root.pem or rootkey.pem!), the combined node certificate+key file (agent.pem) and tls_seed.dat to the tls configuration directory (default $HOME/.sip/auth)
  2. Rename rootcert.pem as cafile.pem

Note that files agent.pem and tls_seed.dat must be kept secret to ensure secure connection