On Fri, 2008-08-01 at 14:47 -0600, Kyle Haefner wrote:
> Hello All,
>
> I would like to install a new certificate that I have from ipsCA.
>
> Once I have the the crt, key and the .ca file from ipsCA in a directory will
> it be enough to just run install-cert.sh.
It depends on how the ipsCA certificate was constructed (I have not
examined one to see).
The current peer validation code requires that the certificate include
the fully qualified DNS name of the host in a DNS type subjectAltName
attribute.
If you run the following command (using your certificate for 'ssl.crt':
openssl x509 -in ssl.crt -text| grep --after 1 'X509v3 Subject
Alternative Name:'
and you get:
X509v3 Subject Alternative Name:
DNS:host.example.org
where 'host.example.org' is your fully qualified host name, then I
believe that it will work. It is ok if there are other values on that
second line as well, as long as that one is there. I realized while
writing this up that the current check-cert.sh script doesn't really
test this correctly, so do the above by hand (although the other tests
it does are also needed, so it too should pass).
> Do I have to do anything with the jetty XML files and the java keytool?
I believe that just installing the new certificate using the script will
cause the next startup of sipXconfig to do the required import steps
automatically.
--
Scott Lawrence tel:+1.781.229.0533;ext=162 or sip:[EMAIL PROTECTED]
sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs
CTO, Voice Solutions - Bluesocket Inc. http://www.bluesocket.com/
http://www.pingtel.com/
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
