I would like to config my system for TLS. I have read the wiki for TLS config and I am wondering if I can use a self-signed certificate to test/config the system with different brands of telephones and then get a commercial certificate if I am going to deploy this system?
Self-signed is fine if the remote device or service can import the cert, or if it has a setting to not verify the certificate.
If some of your devices or trunking providers can’t do either, you can run those unencrypted while testing TLS with the others.
When people say self-signed, do they really mean self-signed server certificates, or do they mean a corporate or departmental root CA? The scripts that come with Asterisk do the latter.
In many cases, if you have a security aware IT department, a private CA could be a better solution than a commercial one. The advantage of a commercial one is that browsers and phones may come preconfigured to trust it. A possible disadvantage is some of the ones they trust might not be that trustworthy.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.