Multiple CA certificates in Asterisk?


I have a direct link between two Asterisk-servers. This allows me to place direct and encrypted calls. I created my own certificates for this purpose and it works great! This is what the configuration looks like:



As I said, this works perfect. No errors what-so-ever. Now I want to add another Asterisk-server. But that server uses a certificate that was not signed by my own CA-certificate. And it is also a certificate that those guys created with their own CA-file. It was not handed out by an official CA-authority. Just like my own. And as soon as I add their server, I get this error:

tcptls.c:621 handle_tcptls_connection: Certificate did not verify: self signed certificate in certificate chain

I tried importing their CA-certificate in /usr/local/share/ca-certifiactes/ and run update-ca-certificates. And sure enough, 1 new certificate was added. But I still get that error in Asterisk. Even after restarting Asterisk entirely.

I tried to comment tlscafile=/etc/asterisk/keys/mycacert.pem, while leaving tlscapath=/etc/asterisk/keys active, (hopefully) forcing Asterisk to use all keys in /etc/asterisk/keys/. That seemed to work, because my own certificate didn’t give any errors. But I still get errors on the other certificate.

How can I tell Asterisk it can trust that certificate?

Ok, I’ve been doing some more Googeling on the subject and came across this site. It says the following, regarding the option tlscapath= in sip.conf.

But I’m not sure what that means… :blush:

Could someone explain that to me?

Ok, I figured it out. For anyone running into the same problem, here’s how I fixed it.

[ul]First, you’ll need to get the hash value of the CA-cert file.[/ul]
[ul]Than you need to rename the CA-cert file to the given hash-value, followed by a .0[/ul]
[ul]And place that file in /etc/asterisk/keys/[/ul]

openssl x509 -in cacert.pem -noout -hash (let's say it's 5060a30f)
mv cacert.pem 5060a30f.0
mv 5060a30f.0 /etc/asterisk/keys/