Howto Create a Certificate for SIP TLS asterisk.pem

I installed Asterisk 1.6-rc6 and i am running SIP over TCP, now i want to run SIP over TLS. but i get “ssl cert error <asterisk.pem>”

How do i Generate a certificate and how do i install it in Asterisk? i Am using Ubuntu 8.04


Same problem here, but on Centos. I tried different openssl certificate making method. Allways same error.

And I putted in the “commonName” the IP of my Asterisk computer.

Where is the problem, or does somebody have the right procedure for making .pem certificate and how to make it work with Asterisk?!?

I had the same problem, found only some questions but no answers and so decided to find out where the problem is.

After some (well, many) hours of investigation, browsing materials, source code etc. I managed to run Asterisk with CERTIFICATE OK. I have not tested it properly yet, but it seems to be working (accepted certificate, listening on port 5061) so here is what I have done:

1/ I generated certificate using this how-to in the /home/kelanth/nssl directory, I used the internal IP address of my Asterisk server ( ) as a common name in the certificate
2/ I made a new file containing both key.pem and certificate.pem

cat key.pem > asterisk.pem cat certificate.pem >> asterisk.pem
I think that this was my problem…Asterisk expects the file containing both the key and the signed certificate and originally I gave him only the certificate.pem which did not work.
3/ I set proper informations in sip.conf

tlsenable=yes tlsbindaddr= tlscertfile=/home/kelanth/nssl/asterisk.pem tlscafile=/home/kelanth/nssl/asterisk.pem

And voila, Asterisk started ok.
Well, in fact I also added a hash of asterisk.pem into /home/kelanth/nssl/ so I can use the tlscadir, but I suppose it had no influence on this problem.

I hope this will safe someone the hours I spent looking for solution;].

John aka Kelanth

@kelanth: You the man. It works !!!

One question, I need a CA, is the request.pem the CA certificate? If not, how do I get it?

[quote=“ales187”]@kelanth: You the man. It works !!!

One question, I need a CA, is the request.pem the CA certificate? If not, how do I get it?[/quote]
The request.pem is a certificate request prepared to be signed by CA. Since I am using this merely for private testing, I am signing it myself but if you want your certificate signed by a CA then you have to send the request.pem to this CA and get it signed by them.

Thank for the info, but did anybody succesfully made a call via TLS. I get this error:

[Dec 4 10:15:50] ERROR[3457]: chan_sip.c:4003 create_addr_from_peer: ‘UDP’ is not a valid transport for ‘100’. we only use ‘TLS’! ending call.
[Dec 4 10:15:50] WARNING[3457]: app_dial.c:1502 dial_exec_full: Unable to create channel of type ‘SIP’ (cause 20 - Unknown)

Is there any special configuration in extensions.conf?

Maybe stupid question but are you using device that supports TLS? This looks like that the device that tries to make a call does not have TLS supported…but it is only a guess.

I made successful test using Sipp call generator, explored the packets with wireshark and everything was ok (both sipp and asterisk communicated using TLS and the communication was encrypted).

I also tested it with minisip softphone, but it is rather unstable on my machine (dunno why yet). One call went properly and then minisip began to work bad.

And as for the additional changes to extensions.conf, I have made none and it works on the original configuration I had before using TLS.

Ok, I’ve just got it. There are two phones with TLS support, calls between them work perfectly, but as soon as I make a call via outside line (SIP trunk), I get this error.

The change needed:


Works like a charm!

Hello .I’m Fabio, a student at the University of Salerno (Italy).
Look, I would ask you a favor.
I have the same problem with the certificates and tls under asterisk.
I needed information about the configuration sip.conf and extension.conf
Also you might tell me how to create certificates for good?
I installed the Asterisk Please give me some help. since ci sei tu reuse.
I also use the dui MInisip 0.87.
Clients have to upload the same certificate? If what Common Name?

My sever asterisk has ip
Clients 192 … 168.1.40 and 43.

Hello again and sorry for my English