Asterisk with TLS and SRTP


I’m trying to enable TLS using below guide, I’m little confused about the client certificate part

For client certificate “” resolves to IP from which agent will login? If yes do I have to create separate domains for every agent as due to Covid19 agents are at home and every agent have different IP, not to mention they don’t have static IP’s

Client certificate does not have to resolve to the IP address. Only the server certificate has to contain the hostname that is used.

Best practice is to use a VPN, in which case you can ignore the addresses and domains in the underlying network.

Ideally each phone would have a unique client certificate, but the normal practice is rely on user and password, sent over the encrypted connection, to authenticate the phone, so the phone only needs a certificate used to sign the server certificate, which, in some cases, can be the server certificate itself, although better practice is for it to be a corporate CA certificate.

Okay, what actually “” refers to here?

./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C -O “My Super Company” -d /etc/asterisk/keys -o malcolm

I first tried with openvpn but faced issues like distortion and oneway voice specially in conference calls.

It’s describing a two way authenticated TLS configuration. Most people using TLS, on the web, with only the server proving its identity, but TLS allows both sides to prove their identity. (Non encrypted SIP tends to use the opposite authentication arrangement, where the clients trust the PXBes and the clients prove their identity with a password, but if you want reliable encryption, that is not enough, as it allows a man in the middle attack The lazy approach is to authenticate the PBX using TLS, but continue to authenticate the phone the old way, but over a connection that is now known to be to the PBX and to be encrypted.)

Thank you for explaining, what actually I wanted to ask is “” resolves to asterisk server. what does “” resolves to? Agent / client IP?

I did generated the keys but with both (for server and client certificate) domains resolving to server (which I guess is not correct) and therefore extension is not registering.

It doesn’t need to resolve to anything, it just needs to have a specific name for the client. This is because the server does not connect back to the client, and merely needs to verify (if configured to do so) that the certificate was issued from its certificate authority.

I have asterisk 11.17.1 on centos 7.8

Have generated the certificates as mentioned in Also configured sip.conf accordingly, added the ca.crt and malcolm.pem in softphone but it is not registering. I guess its not authenticating.

Not sure if I’m missing something.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.