would it work if i created TLS certificates for one time using the ast_tls_cert script in order to use in 2 servers? i know that there is the “C” parameter which is related to the ip of the server! so i would just skip it. so i would be creating the CA certificate without attaching it to a specific ip.
That script doesn’t attach the CA certificate to an IP address, by default, and that wouldn’t normally be a sensible thing to do. The default CN for a a CA is “Asterisk Private CA”.
If you are talking about a server certificate, if you miss the C option, the certificate CN will default to the fully qualified domain name of the machine on which you are running the script. Both of these facts can be easily determined by examining the source code of the script.
The script already violates best security practice for the public key infrastructure. Could I suggest that if you do not fully understand how it works, you should only use it in the way it is designed to be used. We don’t know the detailed threat assessment for you system to be able to evaluate the impact of compromising security for convenience; it might be that you are better off using SIP, rather than SIPS, as there will be no false sense of security.
Using server and client in the sense used by that script, whether or not a certificate that does not match the machine using it will work will depend on how thoroughly the client authenticates the server, which is outside the control of Asterisk.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.