Everything looks ok to me, I think. The only possibly odd thing I see is the 'trustedCertEntry' part in the keystore. I did a disaster recover test of this machine a few weeks ago and I looked at the machine I recovered it to then, and it has the full name of the root cert at the beginning of that line.
[r...@nshpbx1 ssl]# ll total 48 drwx------ 2 sipxchange root 4096 Jan 20 12:39 authorities -rw------- 1 sipxchange root 971 Jan 20 12:38 authorities.jks drwxr-xr-x 3 root root 4096 Jan 20 11:54 bad drwxr-xr-x 4 root root 4096 Jan 20 11:25 bad5 -rw------- 1 sipxchange root 2126 Jan 20 12:38 ssl.crt -rw------- 1 sipxchange root 887 Jan 20 12:38 ssl.key -rw------- 1 sipxchange root 1694 Jan 20 12:38 ssl.keystore -rw------- 1 sipxchange root 2126 Jan 20 12:38 ssl.p12 -rw------- 1 sipxchange root 2126 Jan 20 12:38 ssl-web.crt -rw------- 1 sipxchange root 887 Jan 20 12:38 ssl-web.key -rw------- 1 sipxchange root 1694 Jan 20 12:38 ssl-web.keystore -rw------- 1 sipxchange root 2126 Jan 20 12:38 ssl-web.p12 [r...@nshpbx1 authorities]# ll total 4 lrwxrwxrwx 1 root root 34 Jan 20 12:39 cbc21f34.0 -> DSI VoIP Certificate Authority.crt -rw-r--r-- 1 sipxchange root 2292 Jan 20 12:38 DSI VoIP Certificate Authority.crt [r...@nshpbx1 ssl]# keytool -list -keystore ssl.keystore -storepass changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry nshpbx1.sipx.voip, Jan 20, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): 1C:7A:98:F7:7E:8A:20:0E:48:EF:EB:13:76:99:7C:09 [r...@nshpbx1 ssl]# keytool -list -keystore authorities.jks -storepass changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry , Jan 20, 2010, trustedCertEntry, Certificate fingerprint (MD5): 1C:7A:98:F7:7E:8A:20:0E:48:EF:EB:13:76:99:7C:09 On 1/20/2010 1:14 PM, Raymond Dans wrote: >> Subject: Re: [sipx-users] SSL Cert help >> >> On 1/20/2010 12:27 PM, Raymond Dans wrote: >> >>> Not sure if this will help but did you regenerate and >>> >> install the Java >> >>> Keystore/Truststore? If not you may want to try this first. >>> >> I'm not sure exactly how to do that, so I guess I hadn't. How >> should I do that? The ssl script seems to indicate it is doing >> that (see below). >> On a side note, I just tried completely rerunning the sipx >> setup wizard. >> That didn't help. Same result. >> I realize my timing here is awful. I am desperate. We have training for >> 2 hours this afternoon, so I can't rebuild the system from >> scratch right now. I really don't want to do that if I don't >> have to. We were going to spend this evening staging all the >> handsets, but I obviously can't do that if I'm going to have >> to rebuild the system. This is a nightmare. It is 100% my >> fault. I was trying to squeeze in one more thing before we >> went into production, and obviously that was a horrible idea. >> >> ______________________________________________________________________ >> >> Generating Java Key Store >> Enter input keystore passphrase: Enter output keystore >> passphrase: Alias >> 0: nshpbx1.sipx.voip >> Adding key for alias nshpbx1.sipx.voip >> ______________________________________________________________________ >> >> Generating Java Trust Store >> Certificate was added to keystore >> >> >> > Okay, that part looks okay. I guess the next thing is to ensure that > they were installed and have the correct permissions. > > SSL Certificates are installed under /etc/sipxpbx/ssl > > -Ensure that the keystore and jks files are up to date (i.e. the install > of them worked). > -Ensure that the keystore and jks files are owned by 'sipxchange' > -Verify that the keystore and jks are sane by using 'keytool' > >keytool -list -keystore ssl.keystore -storepass changeit > >keytool -list -keystore authorities.jks -storepass changeit > > I believe if they display correctly then they're sane. > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
