I’m trying to connect phones from the internet securely. I have Yealink phones and read topic Yealink / Freepbx / SIP / TLS where was said that i need also certificate for each phone.
At first i tried to use self signed sertificate but without any success, and decided to use Let’s Encrypt.
But when i successfully went through the process i found out several files in /etc/asterisk/keys/ directory: /etc/asterisk/keys/ ----------------------------- _account api_oauth.key api_oauth_public.key integration pbx.example.org pbx.example.org-ca-bundle.crt pbx.example.org.crt pbx.example.org-fullchain.crt pbx.example.org-fullchain.key pbx.example.org-fullchain.pem pbx.example.org.key pbx.example.org.pem
It a little bit confused me.
As I understood from Let’s Encrypt documentation some files are using for certificate updating and some for secure connection.
Can someone explain to me what files I should use to generate сlients keys?
I don’t think you mean client keys; basically you don’t need any files to create private and public keys; they are inputs to the LE process, not outputs.
To do this properly, FreePBX should take no part in either the key or certificate generation process for the phone.
The documentation seems, to suggest that the phone come with keys and certificates, with Yealink being the signer for the certificate.
Note that the documentation uses client and server in the correct SIP and TLS senses,not in the way that client is often used to mean phone,here. In the description of how device certificates are used, Asterisk is the client.
If using Lets Encrypt, you should use none of them. You should use Lets Encrypt’s CA for the Trusted certifier, you should either create the public, and private keys from first principles, and derive the .csr from those, and use it to get a certificate from Lets Encrypt, or you should use the built in Yealink ones, and add Yealink’s CA certificate to Asterisk’s list of trusted certifiers.
There may be some details regarding having the the full chain back to LE’s root CA.
Thank you for reply!
But i didn’t understand what exactly i have to do?
Where can I get a Yealink CA certificate? And how can I tell which phone is connected?
You’d have to ask Yealink. It might be that the only way is to extract it from the phone, or it might be that it is only a useful option for Yealink direct to Yealink sessions.
As a general point, you don’t seem to understand how Public Key Infrastructure works, and if you need security, that is dangerous. I’m not going to spend the time to try and come up with a definitive process, and you should not really trust security processes obtained from a forum, like this, in any case, but you probably need a consultant who does understand how PKI works.
If you want to use Lets Encrypt, I suspect you may have to turn off authentication, at the Asterisk side, and install the Lets Encrypt certificates on the phone, although they may already be there. You will need to configure the phone with the domain name used to obtain the Asterisk Lets Encrypt certificates, not the the corresponding IP address, for it to be able to authenticate Asterisk.
Using a corporate CA (which is what is really meant by self signed, in FreePBX (it is the certifier’s that is self signed, not the one installed in the device), is probably the best option for higest security, although best practice would be to not generate the certificates on the FreePBX machine, but on a dedicated machine, with a security air gap. In particular, the private key for the certifier should never exist on any machine that is accessible remotely, at any time.