Does asterisk accept 2 CAs?

I tried to combine 2 CAs into one CA and added this new CA to:
“ca_list_file” in pjsip.conf, which should accept both certificates. since in its description it says “File containing a list of certificates to read (TLS ONLY, not WSS)”
but apparently Asterisk only accepts the 1st certificate in the file and just ignores the rest of the file.
any explanation of this weird behavior?

Are they 2 top-level CA certificates or a chain of certificates?
If you reverse the order in the file, is it still the first one that’s accepted?

Also, can you use that file with openssl s_server and openssl s_client?

1 Like

root CA certificates so top level.
when i reversed the order it worked for the 1st one.

when i tired with openssl s_server and openssl s_client i got the same result as the one i got in Asterisk. only 1st certificate working in the combined file.

Yeah, that makes sense as asterisk and pjproject both use openssl underneath to read the files.

Assuming you’re using the current version of asterisk with the bundled pjproject, and are setting up a pjsip transport, try this…

  • Create a directory that asterisk will have access to, maybe /etc/asterisk/cacerts or /var/lib/asterisk/keys/cacerts.
  • Place your CA certificates in that directory in separate files. It’s important that there be only one cert per file.
  • In that directory, run openssl rehash.
  • In your transport configuration, set ca_list_path = <whatever directory you created>

See if that works.

1 Like

thank you it worked

@gjoseph
m trying to understand if ca_list_file and ca_list_path are mutually exclusive, i tried to use both at the same time and it was working fine. but m afraid at some level it might just crash or something.
from openssl pov it says it is mutually exclusive and so said some other people. but m still not so sure

They are NOT mutually exclusive. The OpenSSL documentation explains how they’re used and in what order…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.