I am trying to deploy a setup where my extensions need to have a child TLS Certificate. If it does not have, it wont connect or can not do any call.
With Lets Encrypt, I didnt figure out how to generate child certificates. I have a wildcard valid, and I did import successfully to my freepbx. I am using it with WebRTC. Now, I dont know how to create, and how I can revoke these child certificates. Is it possible this cenario with Freepbx? Shell?
WebRTC was just a proof of concept that my TLS is working in my Freepbx. But, I need to use TLS x SIP (or PJSIP), and I want to allow sip connections only who has a valid tls connection (with the child certificate) and I want to have control of these certificates revoking the fired workers. Do you have some suggestion?
Issue and deploy a cert for sub.sub.your.domain.whatever , no ?
you can revoke and reissue up to 5 times a week with LE, the howto will be acme client dependent
You should check the server certâs validity, which is a good thing, you can also check the client has a valid cert installed but that is a PITA and needs a lot more âhands onâ
I would note that revoking is not the same as just deleting a cert, that will get you into a âtricky placeâ between your firees and your good-faith users
Perhaps client certificates would be a better choice here. There is no need to involve a commercial CA, you can revoke one by moving it out of the keys directory and later unrevoke it if needed, for example if a âstolenâ phone is later found.
Unrevoking is not a concept with certificates, if there is one bad egg, then everything smells and the ramifications of not revoking could be huge, remember the guy got fired, revoke, re-issue, and have the goodguys requalify. If you have to do that every two days it works but fire your HR department for being incompetent , otherwise an orderly 60 day regime is fine and to my knowledge nobody has bitched about that.
But yes, a good question, does the FPBX acme client provide for orderly revocation? It should.
You really shouldnât accept a mere passing grade âwork aroundâ here.
That should be fixed IMHO, even good old certbot can do that.
As you likely know , acme.sh doesnât need privilege elevation , has all the hooks you need, can revoke, do dns-01trivially for 90%+ of users here and you can run it as asterisk, it would be a nice fit and add function easily.
You are 100% correct, but there is always a trade-off between convenience and security. If someone reported their phone stolen but later found it in his bathroom, I would likely decide that it was extremely implausible that the thief broke into his house unnoticed and returned the phone. I would just re-enable the cert.
I wasnât aware that FreePBX could issue and distribute individual client certificates , if you wanted to do that then I suggest HAPROXY and one sub-domain per extension, it would get quite unwieldy though and reinstalling on every phone every 60 days no matter where and what they are an even more daunting taskâŚ