For client certificate “phone1.mycompany.com” resolves to IP from which agent will login? If yes do I have to create separate domains for every agent as due to Covid19 agents are at home and every agent have different IP, not to mention they don’t have static IP’s
Best practice is to use a VPN, in which case you can ignore the addresses and domains in the underlying network.
Ideally each phone would have a unique client certificate, but the normal practice is rely on user and password, sent over the encrypted connection, to authenticate the phone, so the phone only needs a certificate used to sign the server certificate, which, in some cases, can be the server certificate itself, although better practice is for it to be a corporate CA certificate.
It’s describing a two way authenticated TLS configuration. Most people using TLS, on the web, with only the server proving its identity, but TLS allows both sides to prove their identity. (Non encrypted SIP tends to use the opposite authentication arrangement, where the clients trust the PXBes and the clients prove their identity with a password, but if you want reliable encryption, that is not enough, as it allows a man in the middle attack The lazy approach is to authenticate the PBX using TLS, but continue to authenticate the phone the old way, but over a connection that is now known to be to the PBX and to be encrypted.)
Thank you for explaining, what actually I wanted to ask is “pbx.mycompany.com” resolves to asterisk server. what does “phone1.mycompany.com” resolves to? Agent / client IP?
I did generated the keys but with both (for server and client certificate) domains resolving to server (which I guess is not correct) and therefore extension is not registering.
It doesn’t need to resolve to anything, it just needs to have a specific name for the client. This is because the server does not connect back to the client, and merely needs to verify (if configured to do so) that the certificate was issued from its certificate authority.