A trunk will act as both client and server. Each end should have its own certificate, which should match the private key at that end. Ideally, the certificates should have a subject name that correctly identifies it, but Asterisk doesn’t check those, and it is not clear to me what subject name you would use for a SIP user agent.
If you are talking about ast_tls_cert, the only difference between server and client is in the default common names. For a server, the -C option defaults to its address, and for a client it defaults to asterisk. I don’t believe that Asterisk checks this at run time, so for a trunk it really doesn’t matter.
The actual cert_file and priv_key_file names don’t matter. All that matters is that they contain the user agent certificate and user agent key for that machine.
The important thing is that you only specify -c and -k, to ast_tls_cert, the first time you run it, and you copy the same CA cert file to both machines.
No. You should nominate one end (or a ideally a completely different machine that is kept, as far as possible offline) as your, single, CA and generate the CA certificate and both user agent certificates on that machine. In the sense used by ast_tls_cert, they are both server certificates, but as you should use explicit -C options, that makes no real difference.
You should destroy the private keys on all but the machine to which they apply. (ast_tls_cert takes some liberties with security, partly because phones don’t play by the TLS the key management rules properly. With the official certificate generation method, the private key would be generated on the machine to which it applied and should never leave it.)
yes but if i nominated one of the two servers to act as a CA, then at this server i generated the certificates.
now i need to copy this certificate and put it at the other server.
the question is: when i need to copy the files to an ip phone, then i put these certificate files at a location then i can tell this ip phone where these TLS certificates are because there is a parameter that asks for the certificates!
but now, at my example, i put these certificates at the other server but then how could i inform the trunk at that server about the location of the certificate! what are the options at pjsip.conf which allows me to do that?