I’ve created a lot of certificate to use SIP with TLS in my Asterisk 13.10 (chan_sip) based on https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and they works fine. But the certificate expires, and I wanna know if is possible to renew that to dont need to re import all certificates in each softphone again.
The article describes using a corporate certification authority, not self signed certificates. Root certifying certificates are always self signed. All the commercial certificate suppliers have a self-signed certificate at the top of their chain.
In any case it is fundamental to the reasons for time limiting certificates that they must be replaced to continue to work.
For your next round, you should make a risk assessment on the chances of undetected compromises of secret keys and technological advances eroding the security of particular encryption technologies, to a point where it would be worth an attacker’s while to attack yours, and set the longest expiry compatible with that assessment.
Thakyou for your reply @david551 . About the article, I continue thinking that is about self signed, once in the description of some steps they say that, and the certificate is not recognized in all softphone as an “public/valid” certificate:
About the time of expiration, you right. Im just looking for an mean to renew my expired certificate, because SIP TLS is not work anymore after the expired date came.
It would be better if they had said a root, rather than self-signed, as the slightly dodgy thing to do is to use a self-signed certificate directly as client certificate.
If the phone is objecting to the certificate not being recognized, that probably means they are using the system list of signing authorities, rather than a local set. The example tends to assume the use of Linux or at least openssl, where it is common to have private lists of root certificates. For Windows it may be more common to have the root certificate in the main certificate store. Just double clicking on a .crt file should start the installation process.
As for changing your expired certificates, this is really a case of a lesson for the next time. You need to plan to update certificates well before they expire. Quite a few prominent web sites seem to have been caught out by failing to plan for this.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.