Pjsip trunk with tls registration

I am trying to create a trunk with type registration between 2 asterisk servers using TLS.

asterisk1 192.168.133.90
asterisk2 192.168.133.100

at asterisk 1: pjsip.conf

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes


[1234]
type=registration
outbound_auth=1234
server_uri=sip:192.168.133.100\;transport=transport-tls
client_uri=sip:1234@192.168.133.100\;transport=transport-tls
retry_interval=60

[1234]
type=auth
auth_type=userpass
password=1234
username=1234

[1234]
type=aor
max_contacts=1
contact=sip:1234@192.168.133.100:5061
remove_existing=no

[1234]
type=endpoint
context=phones
disallow=all
allow=gsm,ulaw,alaw
outbound_auth=1234
aors=1234

[1234]
type=identify
endpoint=1234
match=192.168.133.100

at same asterisk 2:

I created a user of username=1234
password=1234
and transport tls
then i generated the certificates

but i still could not figure out where should i put this certificate (at asterisk 1).
and how should i pass these certificates for the user at asterisk 1 pjsip.conf !!

any help would be appreciated

I don’t know what you mean by a user; it isn’t a term used for PJSIP configuration, except for the user fields in URIs.

The CACert should be the same on both machines. The certificate and private keys should be signed by the CACert, but should be different.

1 Like

this is what i’ve done at asterisk 2 pjsip.conf:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes


`[endpoint-basic](!)`
`type=endpoint`
`context=phones`
`disallow=all`
`allow=ulaw,alaw`
`[auth-userpass](!)`
`type=auth`
`auth_type=userpass`
`[aor-single-reg](!)`
`type=aor`
`max_contacts=1`

`;===============EXTENSION 1234`
`[1234](endpoint-basic)`
transport=transport-tls
media_encryption=sdes
`auth=auth1234`
`aors=1234`
`[auth1234](auth-userpass)`
`password=1234`
`username=1234`
`[1234](aor-single-reg)`

the question is: i have the client certificate at asterisk 2 which i should pass to the trunk at asterisk1, right?

where should i put these certificates and how could i pass the path of the certificates at asterisk 1 pjsip.conf for the trunk that i defined.

A trunk will act as both client and server. Each end should have its own certificate, which should match the private key at that end. Ideally, the certificates should have a subject name that correctly identifies it, but Asterisk doesn’t check those, and it is not clear to me what subject name you would use for a SIP user agent.

then i should generate certificate at both ends ?

so you are telling that if I only generated the user certificates at both servers, then this trunk would be authenticated by these certs? but where should i define the path of it?

If you are talking about ast_tls_cert, the only difference between server and client is in the default common names. For a server, the -C option defaults to its address, and for a client it defaults to asterisk. I don’t believe that Asterisk checks this at run time, so for a trunk it really doesn’t matter.

The actual cert_file and priv_key_file names don’t matter. All that matters is that they contain the user agent certificate and user agent key for that machine.

The important thing is that you only specify -c and -k, to ast_tls_cert, the first time you run it, and you copy the same CA cert file to both machines.

1 Like

No. You should nominate one end (or a ideally a completely different machine that is kept, as far as possible offline) as your, single, CA and generate the CA certificate and both user agent certificates on that machine. In the sense used by ast_tls_cert, they are both server certificates, but as you should use explicit -C options, that makes no real difference.

You should destroy the private keys on all but the machine to which they apply. (ast_tls_cert takes some liberties with security, partly because phones don’t play by the TLS the key management rules properly. With the official certificate generation method, the private key would be generated on the machine to which it applied and should never leave it.)

1 Like

yes but if i nominated one of the two servers to act as a CA, then at this server i generated the certificates.

now i need to copy this certificate and put it at the other server.

the question is: when i need to copy the files to an ip phone, then i put these certificate files at a location then i can tell this ip phone where these TLS certificates are because there is a parameter that asks for the certificates!
but now, at my example, i put these certificates at the other server but then how could i inform the trunk at that server about the location of the certificate! what are the options at pjsip.conf which allows me to do that?

The options used are the same on both machines, just that different user agent certificates and keys are used:

ca_list_file or ca_list_path for the CA certificate file. cert_file for the specific machine’s user agent certificate, and priv_key_file for the specific machine’s private key file.

1 Like