Sip Trunk with TLS

Hello, I’m trying to setup a TLS trunk to my FreePBX 13 from a new VOIP Service Providers.
I’m new with the TLS thing and wanted to see if some point me to the right path.
My FreePBX is behind our Fortigate and it just pointing out to the Service provider IP Address
I have read some information and it doesn’t seems to clear to me.

My Setup is basically all chan_sip 5060 for my extensions and we are going to connect to an VOIP Sip trunk provider over TLS default 5061
I have seen some configurations over some threads in the Community but I’m lost.
The provider has already give me the SSL and Root Certificates from their side and I have already copied them on the /etc/sst/certificate/ folder
Do i need to make a Certificate on PBX and send it to my New Voip Sip trunk Provider or can I tell him that the authentication will be from me to them only if it’s supported?
Where should I put the paths for the certificates (sip.conf , sip_custom.conf , sip_general.conf,…) and correct file location cause everytime I open one of those files it tells me to not modify them
Where should I put the Certificates path?
Cipher Suites ? How to use and verify this?
I was looking to add on the
sip_custom.conf
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/sst/certificate/asterisk.pem
tlscafile=/etc/sst/certificate/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

For the trunk
Outgoing
type=friend
qualify=yes
nat=never
context=from-trunk
insecure=invite
host=xxx.xxx.xxx.xxx
dtmfmode=rfc2833
canreinvite=no
disallow=all
allow=gsm&alaw
transport=tls
encryption=yes
Incoming
type=friend
qualify=yes
nat=never
insecure=very
context=from-trunk
host=xxx.xxx.xxx.xxx
dtmfmode=rfc2833
canreinvite=no
disallow=all
allow=gsm&alaw
transport=tls

Can someone check if I’m on the correct path?
Is there like an ultimate guide for this on the Community?
Thanks for all your help and keeping up for the support.
JC

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.