Certificates (TLS) and Child Certificates


#1

Hi friends!

I am trying to deploy a setup where my extensions need to have a child TLS Certificate. If it does not have, it wont connect or can not do any call.

With Lets Encrypt, I didnt figure out how to generate child certificates. I have a wildcard valid, and I did import successfully to my freepbx. I am using it with WebRTC. Now, I dont know how to create, and how I can revoke these child certificates. Is it possible this cenario with Freepbx? Shell?

Thanks,
Denilson


#2

I think you will find that SIP-TLS (WebRTC) won’t honor a wild card/SAN/Subject Alternative Name certificate.


#3

WebRTC was just a proof of concept that my TLS is working in my Freepbx. But, I need to use TLS x SIP (or PJSIP), and I want to allow sip connections only who has a valid tls connection (with the child certificate) and I want to have control of these certificates revoking the fired workers. Do you have some suggestion?


#4

Issue and deploy a cert for sub.sub.your.domain.whatever , no ?

you can revoke and reissue up to 5 times a week with LE, the howto will be acme client dependent

You should check the server cert’s validity, which is a good thing, you can also check the client has a valid cert installed but that is a PITA and needs a lot more ‘hands on’

I would note that revoking is not the same as just deleting a cert, that will get you into a ‘tricky place’ between your firees and your good-faith users


#5

Perhaps client certificates would be a better choice here. There is no need to involve a commercial CA, you can revoke one by moving it out of the keys directory and later unrevoke it if needed, for example if a “stolen” phone is later found.

Unfortunately, I don’t know to what extent this is supported by FreePBX, and whether manual config file edits can deal with any shortfall.
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial


#6

Unrevoking is not a concept with certificates, if there is one bad egg, then everything smells and the ramifications of not revoking could be huge, remember the guy got fired, revoke, re-issue, and have the goodguys requalify. If you have to do that every two days it works but fire your HR department for being incompetent , otherwise an orderly 60 day regime is fine and to my knowledge nobody has bitched about that.

But yes, a good question, does the FPBX acme client provide for orderly revocation? It should.

You really shouldn’t accept a mere passing grade ‘work around’ here.


#7

No. Not even in the underlying lescript.php library in use.


#8

That should be fixed IMHO, even good old certbot can do that.

As you likely know , acme.sh doesn’t need privilege elevation , has all the hooks you need, can revoke, do dns-01trivially for 90%+ of users here and you can run it as asterisk, it would be a nice fit and add function easily.


#9

You are 100% correct, but there is always a trade-off between convenience and security. If someone reported their phone stolen but later found it in his bathroom, I would likely decide that it was extremely implausible that the thief broke into his house unnoticed and returned the phone. I would just re-enable the cert.


#10

That might make sense if you only had one phone/user, maybe your other users don’t want to wait until the missing phone is found though.


#11

Someone might have an acme.sh backed certman module on their dev machine, but no point in a PR until extra functionality is cleaned up.


#12

Huh? Isn’t the whole idea of client certs is that each user is issued his own and it can be disabled without affecting others?


#13

(hehe, and Certificate issuance no longer firewall port flopping dependent :slight_smile: )


#14

I wasn’t aware that FreePBX could issue and distribute individual client certificates , if you wanted to do that then I suggest HAPROXY and one sub-domain per extension, it would get quite unwieldy though and reinstalling on every phone every 60 days no matter where and what they are an even more daunting task…