CAcert.org
- Former user (Deleted)
- Former user (Deleted)
- Former user (Deleted)
- Former user (Deleted)
Introduction
CAcert.org is a community driven Certificate Authority that issues certificates to the public at large for free. CAcert.org provides Certificate Authority services for server, client and code-signing certificates.
This page outlines the steps necessary to use a CAcert.org server certificate for use with sipX.
The two pages on CAcert.org describing the process of obtaining server certificates are:
- How do I get a server certificate from CAcert?
- How do I generate a private key and CSR using OpenSSL?
Join CAcert.org
First, you will need an account with CAcert.org. Go here.
Add the desired domain name to your account
In order to be able to submit certificates for a specific domain name, you will need to link that domain name to your account. This process is very easy and only involves a ping email sent to your registered address. Assuming, of course, that domain name has not already been assigned to another CAcert.org account. To link a domain to your account, go here.
Collect CAcert.org WoT points (optional)
Optionally, you should collect at least 50 points in the CAcert.org Web of trust programme. This allows you to issue server certificates with a validity of 2 years. See under "Find an assurer" on the CAcert.org website if you do not know someone that can assure you. Local computer users group are usually a good place to find CAcert.org assurers that can certify your identity and award you with the necessary points. The maximum number of points an assurer can currently award is 35, so you need at least two assurers to reach 50 points. The CAcert.org Wiki has plenty of information about the WoT process.
Configure sipX with a certificate signed by CAcert.org
Fetch the CAcert.org root certificates
The CAcert.org root certificates are used to verify the sipX certificate we will create in the steps below. Root certificates are stored in /etc/sipxpbx/ssl/authorities. The certificate names are hashed so they can be searched for faster. The hash of the root certificates will be generated when you first start sipX.
cd /etc/sipxpbx/ssl/authorities
wget http://www.cacert.org/certs/root.crt -O cacert.org-root.crt
wget http://www.cacert.org/certs/class3.crt -O cacert.org-class3.crt
Create private key and certificate signing request CSR
Now we need a private key for sipX. We first create some random data for the key generation process.
Instead of /dev/urandom you can also use /dev/random. /dev/random being a lot slower it will take more time to get the random data, however.
cd /etc/sipxpbx/ssl
dd if=/dev/urandom of=.rnd bs=1 count=1024
Create the private key. It is important not to specify -des3 on the following line. The private key will not be encrypted which will allow us to start sipX unattended.
openssl genrsa -rand .rnd -out ssl.key 1024
The next step creates the certificate signing request CSR that we will submit to CAcert.org. The CSR is tied to the newly created private key.
openssl req -new -key ssl.key -out ssl.csr
Note: make sure you enter the FQHN at the following prompt:
Common Name (eg, YOUR name) []: sipx.yourdomain.tld
The generated CSR will now be in ssl.csr. Verify the contents of the CSR before submitting it.
openssl req -in ssl.csr -text
Submit CSR and install certificate
Copy all the text (including the tag lines ----BEGIN CERTIFICATE REQUEST--- and ---END CERTIFICATE REQUEST---- from ssl.csr
cat ssl.csr
Now go to Server Certificates - New, paste the text from ssl.csr into the input box and submit the form. The next page shows the signed certificate. Shortly after you submit the CSR you will also receive the certificate via email.
Copy and paste the text from the browser window (including the tag lines) into a new file /etc/sipxpbx/ssl/ssl.crt.
Set permissions
chmod 444 ssl.crt
chmod 400 ssl.key
chown sipx:sipx ssl.crt
chown sipx:root ssl.key
Start sipXpbx
The next time you start sipXpbx, a number of files are generated. Check for the following:
Files in /etc/sipxpbx/ssl
The .md5 checksum files as well as the Java keystore and .ssl.p12 are (re-) generated by the sipxconfig.sh startscript.
-rw-r--r-- 1 sipx sipx 33 Jul 30 19:10 .authorities-contents.md5 -rw------- 1 sipx sipx 4673 Jul 30 19:10 .authorities.jks -rw-r--r-- 1 root root 0 Jul 20 23:36 .keep -rw-r--r-- 1 root root 2048 Jul 30 16:45 .rnd -rw-r--r-- 1 sipx sipx 1707 Jul 30 19:10 .ssl.keystore -rw-r--r-- 1 sipx sipx 33 Jul 30 19:10 .ssl.keystore-contents.md5 -rw-r--r-- 1 sipx sipx 2143 Jul 30 19:10 .ssl.p12 drwxr-xr-x 2 root sipx 1024 Jul 30 19:07 authorities -r\--r--r-- 1 sipx sipx 3799 Jul 30 18:57 ssl.crt -rw-r--r-- 1 root root 1041 Jul 30 16:49 ssl.csr -r-------- 1 sipx root 891 Jul 30 18:57 ssl.key
Files in /etc/sipxpbx/ssl/authorities
The certificate filename hashes are generated by the /etc/init.d/sipxpbx initscript.
lrwxrwxrwx 1 root root 19 Jul 30 18:57 5ed36f99.0 \-> cacert.org-root.crt -rw-r--r-- 1 root root 2151 Oct 14 2005 cacert.org-class3.crt -rw-r--r-- 1 root root 2569 Oct 11 2004 cacert.org-root.crt lrwxrwxrwx 1 root root 21 Jul 30 18:57 e5662767.0 \-> cacert.org-class3.crt