Is there a way to automatically create certificates when adding user/extensions? Trigger script?
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C extension.domain.com -O “Company” -d /etc/asterisk/keys -o username
Is there a reason you want a separate certificate per user/extension?
extra layer of security. isnt there a way lock extensions to certificate? so sip client is required to have the right cert to work. verifies client cert “issued to” against extension and domain. maybe I am wrong, maybe it is not necessary. I will assume that the answer to my question is no. I will just create certs per ext with ast_tls_cert by hand for now and figure it later. thanks
That is not how tls works.
It isn’t that you’re wrong, but that’s not how the system works. The certs on the server provide all of the security you will need, especially if you instantiate a VPN between the phone and the server.