Certification for SIP 5061

omarara · July 4, 2018, 8:39pm

Hello,
We have a VoipSwitch server and a SIP dialer and we want to use tls connection that requires a certificate , Service provider gave us tutorial for this which includes this command “makecert.exe -r -pe -n “CN=VPS” -sky exchange -ss my” apparently this is a self-signed certificate which is being refused from our dialer side because it is un-trusted
Now we need an approved CA certificate or any trusted one , i check and found almost all documentation is about web-site certificates using common http and https ports which we won’t use
can someone help us for this to have a certificate that matchs the one from the command up there ?

_az · July 4, 2018, 11:17pm

Let’s Encrypt certificates aren’t application-specific. (Technically they are limited by their key usage constraints, but any certificate suitable for HTTPS would also be suitable for VoipSwitch).

As long as the CN is a valid FQDN on the internet (CN=VPS is not …), then any WebPKI CA (including Let’s Encrypt) should be able to issue a certificate for you.

The tricky bit is usually solving the domain validation step. You need to prove you control the domain you want to appear on the certificate. You can do this either by the HTTP challenge (serving a challenge response over port 80), or via the DNS challenge (deploy a DNS record to your domain). And you need to automatically do this every 60-90 days.

So for example,

# Certbot can listen on port 80 and perform the HTTP validation
certbot certonly -d voip.example.org -a standalone

or

# You can manually (by-hand) perform the validation
certbot certonly -d voip.example.org -a manual --preferred-challenges dns

or

# acme.sh can automatically perform DNS validation using e.g. Route53
acme.sh --issue --dns dns_aws -d voip.example.org

There are a tonne of different combinations you can use, it depends what is suitable in your environment.

Another aspect is that Let’s Encrypt certificates only have a 90 day validity. If VoipSwitch does not have an easy way to gracefully reload the TLS listener’s certificate, then you may need to either suffer downtime when reloading the certificate, or perhaps you should go for a longer-duration (e.g. 3 year) commercial certificate.

jared.m · July 5, 2018, 12:14am

I believe the maximum duration for publicly-trusted certificates is now two years, per baseline requirements. Well, 825 days to be exact.

system · August 4, 2018, 12:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.