TLS Certificate Generation
TLS Certificate Generation
Asterisk ships with ast_tls_cert, a shell script that creates a private Certificate Authority and signs server/client certificates for use with PJSIP TLS, WebRTC WSS, and the HTTP server.
Requirements
opensslinstalled on the Asterisk server- Write access to the certificate output directory (e.g.,
/etc/asterisk/keys/)
Create a CA and Server Certificate
# Generate CA + server cert in one step
./ast_tls_cert -C pbx.example.com -O "My Company" -d /etc/asterisk/keys
This produces:
| File | Purpose |
|---|---|
ca.crt |
CA certificate -- import into phones/browsers as a trusted CA |
ca.key |
CA private key -- keep this secure |
asterisk.crt |
Server certificate |
asterisk.key |
Server private key |
asterisk.pem |
Combined cert + key (used by tlscertfile in http.conf) |
Create a Client Certificate
# Sign a client cert using the existing CA
./ast_tls_cert -m client \
-c /etc/asterisk/keys/ca.crt \
-k /etc/asterisk/keys/ca.key \
-C phone1.example.com \
-O "My Company" \
-d /etc/asterisk/keys \
-o phone1
Using the Certificates
PJSIP TLS Transport (pjsip.conf)
[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061
cert_file = /etc/asterisk/keys/asterisk.crt
priv_key_file = /etc/asterisk/keys/asterisk.key
method = tlsv1_2
HTTP/WebSocket TLS (http.conf)
[general]
tlsenable = yes
tlsbindaddr = 0.0.0.0:8089
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlsprivatekey = /etc/asterisk/keys/asterisk.key
How it works
- Private CA:
ast_tls_certfirst creates a self-signed CA (ca.crt/ca.key) if one doesn't already exist. All subsequent certificates are signed by this CA, establishing a chain of trust. - Server certificate: The
-Cflag sets the Common Name (CN), which should be the server's FQDN or IP address. SIP phones and WebRTC clients validate this against the hostname they connect to. - Client certificate: The
-m clientflag creates a certificate for a SIP device. Some phones (Polycom, Yealink) support mutual TLS authentication using client certificates. - PEM format:
asterisk.pemconcatenates the private key and certificate into a single file, which is what most Asterisk config directives (tlscertfile) expect. - Permissions: The script sets
umask 177so private key files are created with mode 600 (owner-readable only). Verify permissions:ls -la /etc/asterisk/keys/*.key.
Tips
- For production systems, use Let's Encrypt certificates instead of self-signed. Use
certbotand pointcert_fileandpriv_key_fileto the Let's Encrypt paths. - Self-signed certificates require importing
ca.crtas a trusted root on every phone and browser. This is manageable for small deployments but doesn't scale. - Certificates expire after 365 days. Set a calendar reminder to regenerate before expiry, or use a cert manager with auto-renewal.
- Restrict TLS to version 1.2+:
method = tlsv1_2in the PJSIP transport. TLS 1.0 and 1.1 are deprecated. - Verify your TLS setup:
openssl s_client -connect pbx.example.com:5061will show the certificate chain and negotiated cipher. - Keep
ca.keyoffline or at least backed up securely: anyone with the CA key can sign certificates that your system trusts.
User Notes
No notes yet. Be the first to contribute a tip or example.
Contribute a note
Share a tip, gotcha, or practical example. Keep it under 2000 characters. No questions (use the Asterisk community forums for support). Wrap code in backticks.