Certificates (TLS) and Child Certificates

Hi friends!

I am trying to deploy a setup where my extensions need to have a child TLS Certificate. If it does not have, it wont connect or can not do any call.

With Lets Encrypt, I didnt figure out how to generate child certificates. I have a wildcard valid, and I did import successfully to my freepbx. I am using it with WebRTC. Now, I dont know how to create, and how I can revoke these child certificates. Is it possible this cenario with Freepbx? Shell?


I think you will find that SIP-TLS (WebRTC) won’t honor a wild card/SAN/Subject Alternative Name certificate.

WebRTC was just a proof of concept that my TLS is working in my Freepbx. But, I need to use TLS x SIP (or PJSIP), and I want to allow sip connections only who has a valid tls connection (with the child certificate) and I want to have control of these certificates revoking the fired workers. Do you have some suggestion?

Issue and deploy a cert for sub.sub.your.domain.whatever , no ?

you can revoke and reissue up to 5 times a week with LE, the howto will be acme client dependent

You should check the server cert’s validity, which is a good thing, you can also check the client has a valid cert installed but that is a PITA and needs a lot more ‘hands on’

I would note that revoking is not the same as just deleting a cert, that will get you into a ‘tricky place’ between your firees and your good-faith users

Perhaps client certificates would be a better choice here. There is no need to involve a commercial CA, you can revoke one by moving it out of the keys directory and later unrevoke it if needed, for example if a “stolen” phone is later found.

Unfortunately, I don’t know to what extent this is supported by FreePBX, and whether manual config file edits can deal with any shortfall.

Unrevoking is not a concept with certificates, if there is one bad egg, then everything smells and the ramifications of not revoking could be huge, remember the guy got fired, revoke, re-issue, and have the goodguys requalify. If you have to do that every two days it works but fire your HR department for being incompetent , otherwise an orderly 60 day regime is fine and to my knowledge nobody has bitched about that.

But yes, a good question, does the FPBX acme client provide for orderly revocation? It should.

You really shouldn’t accept a mere passing grade ‘work around’ here.

No. Not even in the underlying lescript.php library in use.

That should be fixed IMHO, even good old certbot can do that.

As you likely know , acme.sh doesn’t need privilege elevation , has all the hooks you need, can revoke, do dns-01trivially for 90%+ of users here and you can run it as asterisk, it would be a nice fit and add function easily.

You are 100% correct, but there is always a trade-off between convenience and security. If someone reported their phone stolen but later found it in his bathroom, I would likely decide that it was extremely implausible that the thief broke into his house unnoticed and returned the phone. I would just re-enable the cert.

That might make sense if you only had one phone/user, maybe your other users don’t want to wait until the missing phone is found though.

Someone might have an acme.sh backed certman module on their dev machine, but no point in a PR until extra functionality is cleaned up.

1 Like

Huh? Isn’t the whole idea of client certs is that each user is issued his own and it can be disabled without affecting others?

(hehe, and Certificate issuance no longer firewall port flopping dependent :slight_smile: )

I wasn’t aware that FreePBX could issue and distribute individual client certificates , if you wanted to do that then I suggest HAPROXY and one sub-domain per extension, it would get quite unwieldy though and reinstalling on every phone every 60 days no matter where and what they are an even more daunting task…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.