6.2. iphone and SSL Certificates

iPhone does not handle self signed certs very well.

If you want to secure your Asterisk server and still use AsteriskC2D then you have three choices.

  • Buy a real Certificate from a recognised signing authority. They are not too expensive around $60 for year.

  • Configure the iPhone and our network for VPN connections. The iphone support CISCO IPSec and PPTP. The downside to this is that each time you want to place a call you’ll need to start up the VPN connection first. Not very seemless and eficient.

  • Create your own root certificate and then sign a cert for your Asterisk system. You can then install the root certificate on the iphone or indeed anything else that needs to connect. It’s free and if you are running Servers people connect to then you really should be thinking about SSL.

6.2.1. Creating the Root Certificate

Just follow the simple steps on this web site: http://www.flatmtn.com/article/setting-openssl-create-certificates

Note

You really want your root certificate to last a good few years… mine lasts over 10 years. This way I don’t have to renew my root and all other certificates too often. As I’ve now given my root cert out to numeros devices it would be a big pain to have to give it out again too often.

Also remember to put the root certificate somewhere very very safe and make backups of it.

Once you’ve created this root certificate you can use it to sign any cerificates you like. So there’s no reason why all your systems couldn’t have valid SSL certificates. You just need to make sure your clients have a copy of the root certificate installed.

6.2.2. Installing the Root Certificate on an iPhone

So you’ve created the root certificate now you want to get it to all your iphone users. Well this part is really simple.

  • copy and rename the certificate cp myRootCert.pem myRootCert.cer

For the iphone to accept the certificate it needs to have a “.cer” at the end. I suggest copying it as other things like to have the “.pem” and in fact openssl when signing expects to see it as “.pem”.

  • send an e-mail. Yes it’s really that simple.. Just attach the certificate to an E-Mail and send it to all your users.. You can also post it on the website as a link. When the user reads the e-mail on their iPhone they are presented with the option of accepting and installing the certificate.

6.2.3. Creating a certificate for Asterisk web server

Again just follow these simple instructions: http://www.flatmtn.com/article/setting-ssl-certificates-apache

Don’t forget to sign your new certificate with the root cerificate.