Generating TLS certificates (win32)

From FreeSWITCH Wiki
Jump to: navigation, search

(This is a temporary solution for Windows users until an automatic script is available)

Creating new CA and certificate

  • OpenSSL is built with FreeSWITCH - no additional files needed for setup.
  • Create a CA directory under freeswitch/conf/ssl called CA:
mkdir “c:\program files\freeswitch\conf\ssl\CA”
  • Create two temporary files in this new directory:

c:\program files\freeswitch\conf\ssl\CA\tmpfile1.cfg

[ req ]
default_bits            = 1024
prompt                  = no
distinguished_name      = req_dn

[ req_dn ]
commonName              = FreesSWITCH CA
organizationName	= FreeSWITCH

[ ext ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

c:\program files\freeswitch\conf\ssl\CA\tmpfile2.cfg

[ req ]
default_bits            = 1024
prompt                  = no
distinguished_name      = req_dn

[ req_dn ]
commonName              = FreesSWITCH CA
organizationName	= FreeSWITCH

[ ext ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=DNS:test.freeswitch.org
  • To set up new CA certificate, run these commands under this new directory (chdir "c:\program files\freeswitch\conf\ssl\CA"):
..\..\..\openssl req -new -out "careq.pem" -newkey rsa:1024 -keyout "cakey.pem" -config "tmpfile1.cfg" -nodes -sha1
..\..\..\openssl x509 -req -signkey "cakey.pem" -in "careq.pem" -out "cacert.pem" -extfile "tmpfile1.cfg" -extensions ext -days 365 -sha1
  • To generate a certificate, run this under the same directory:
..\..\..\openssl req -new -out "tmpfile2.req" -newkey rsa:1024 -keyout "tmpfile3.key" -config "tmpfile2.cfg" -nodes -sha1
..\..\..\openssl x509 -req -CAkey "cakey.pem" -CA "cacert.pem" -CAcreateserial -in "tmpfile2.req" -out "tmpfile3.crt" -extfile "tmpfile2.cfg" -extensions ext -days 365 -sha1
  • Move the final certificates in their final position:
copy cacert.pem ..\cafile.pem
copy tmpfile3.* ..\agent.pem
  • Erase all the temporary files:
del tmpfile*.*

Removing the CA

To remove the CA, just delete the CA directory:

rmdir /s /q "c:\program files\freeswitch\conf\ssl\CA"

Customization

You might consider changing these according to your settings:

commonName		=FreesSWITCH CA	customize your own CA name
organizationName	=FreeSWITCH	Put your own organization name
subjectAltName		=DNS:test.freeswitch.org	Your own DNS
copy tmpfile3.* ..\agent.pem	depending on the certificate name you need