Pages: 1 2 3

Creating the RSA keys

We have seen how to use the keys, now let’s have a look on how to build these. The usual way of creating these for Asterisk is by the integrated astgenkey command. This one is included in the standard Asterisk package and very easy to use. Since RSA key is by default pass-phrase protected, the -n option of the astgenkey command allows to suppress it, this will allows asterisk to start without asking for this pass-phrase. Here below is the output of the execution, we have created a key for the Paris site and in the directory have now two keys, on public (.pub) and one private (.key).

# astgenkey -n

This script generates an RSA private and public key pair
in PEM format for use by Asterisk.  You will be asked to
enter a passcode for your key multiple times.  Please
enter the same code each time.  The resulting files will
need to be moved to /var/lib/asterisk/keys if you want
to use them, and any private keys (.key files) will
need to be initialized at runtime either by running
Asterisk with the '-i' option, or with the 'init keys'
command once Asterisk is running.

Press ENTER to continue or ^C to cancel.

Enter key name: Paris
Generating SSL key 'Paris':
Generating RSA private key, 1024 bit long modulus
.....++++++
.........................................................++++++
e is 65537 (0x10001)
writing RSA key
Key creation successful.
Public key:  Paris.pub
Private key: Paris.key

This solution is the simplest one, but requires a very good organisation with regards to keys and the file they are in. It is not impossible but when you have an issue it is difficult to know which key is hidden behind the file name.

X.509 certificate

The other way to manage these keys could be through X.509 certificates. These certificates are holding the key and some very useful information that could help finding the key or checking if this one is a valid one. This chapter shows how to create certificates in order to use RSA keys in the Asterisk context, we use here the openssl solution since it is present on the Asterisk compilation server at least.

A certificate is something that is issued by someone and needs to be validated through a signature process. A signing hierarchy could be established with the ability for anyone to check whether or not a certificate is valid by checking any signature and their respective certificate.

For example, we could imagine an organized Asterisk group of users which provide each user with a certificate signed. When two users want to exchange traffic, the exchange first their certificates and validate that they are correctly signed, so they can trust each other.

Root creation

We are going to create such group which is represented by a root certificate, we will call it Panoramisk (good idea, no?). Here is the process of this creation.

First we create the template file with all information regarding our root. The working directory can be anything, we will work in the “.” directory in order to ease understanding, in this one a certs directory is created to hold the files to be kept afterwards. The root’s certificate description is called ./certs/root.cnf and contains:

[ ca ]
default_ca      = CA_default

[ CA_default ]
prompt = no
dir             = .
certs           = $dir
crl_dir         = $dir
database        = $dir/index.txt
unique_subject  = no
new_certs_dir   = $dir/
serial          = $dir/serial
crl             = $dir/crl.pem

certificate     = ./certs/root.cert
private_key     = ./certs/rootenc.key

RANDFILE        = $dir/.rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 365
default_md  = md5
preserve    = no

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca
prompt = no

[ req_distinguished_name ]
C                      = FR
ST                     = Rhone-Alpes
L                      = Lyon
O                      = Panoramisk
OU                     = Main
CN                     = Root
emailAddress           = alex@panorammisk.com

[ req_attributes ]
challengePassword      = This is a really good challenge

[ usr_cert ]
nsComment              = "IAX2 Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

Once adapted to your case, we create the certificate:

openssl req -config ./certs/root.cnf -new -x509 
     -keyout ./certs/rootenc.key 
     -out ./certs/root.cert

During certificate creation a pass-phrase is asked for, don’t loose this one since it will be asked for any certificate signature afterwards.

Node creation

Now we have our root certificate (it is self signed, we could also make it signed by a public authority like Verisign for example), we can create one certificate per node or user. The process starts with the creation of the description file, here is a sample of the Paris one:

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca

prompt = no

[ req_distinguished_name ]
C                      = FR
ST                     = RA
L                      = Paris
O                      = Panormaisk
OU                     = Agency
CN                     = Paris Agency
emailAddress           = paris@panoramisk.com

[ req_attributes ]
challengePassword           = One new challenge is required...

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

With this file we can create the certificate and sign it, the commands to issue are looking like:

openssl req -config certs/Paris.cnf -new 
   -keyout certs/Paris_enc.key -out newreqParis.pem

Here a pass-phrase will be asked for Paris. The file generated are the private key, protected by a password and a request for certificate to be signed. Now we could sign it.

If it is the first certificate you are creating, we should instantiate a database:

echo "01" > serial
cp /dev/null index.txt

And now we can do the sign process, the pass-phrase asked for in this part is the one used when creating the root certificate, be careful.

openssl ca -batch -config certs/root.cnf 
   -policy policy_anything -out certs/Paris.cert 
   -infiles newreqParis.pem

The created certificate, for Paris, is now signed by our root one, we can see the certificate composition and verify it with the following commands:

openssl x509 -noout -nameopt multiline -issuer 
   -subject -dates -in certs/Paris.cert
issuer=
    countryName               = FR
    stateOrProvinceName       = Rhone-Alpes
    localityName              = Lyon
    organizationName          = Panoramisk
    organizationalUnitName    = Main
    commonName                = Root
    emailAddress              = alex@panorammisk.com
subject=
    countryName               = FR
    stateOrProvinceName       = RA
    localityName              = Paris
    organizationName          = Panormaisk
    organizationalUnitName    = Agency
    commonName                = Paris Agency
    emailAddress              = paris@panoramisk.com
notBefore=Aug 23 07:31:55 2007 GMT
notAfter=Aug 22 07:31:55 2008 GMT

openssl verify -verbose -CAfile certs/root.cert certs/Paris.cert
certs/Paris.cert: OK

RSA for IAX trunk

Ok, now we have anything in order to get certificates and signature, but how to get use these with our IAX trunk on Asterisk. The RSA private key has been created during the certificate creation, the file Paris.key is containing it but encrypted. It can be used like that in the Paris Asterisk configuration but each time Asterisk will start, the pass-phrase should be entered, which is not practical. We could suppress the pass-phrase from this key with the following, but be careful that nobody should get access to this file.

openssl rsa -in certs/Paris_enc.key -out certs/Paris.key
Enter pass phrase for certs/Paris_enc.key:
writing RSA key

The Paris.key can now be moved to the /var/lib/asterisk/keys/ directory to be used by Asterisk.

For the public key, to be used in London in our example, we will not provide this key directly but rather provide the Paris certificate which holds the key. Having this certificate in London allows to verify the validity date and could also allow a validation of the CRL (Certification Revocation List) presence¹. In order for London to extract the key from the certificate, one can use the following command:

openssl x509 -noout -pubkey -in certs/Paris.cer
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI0ZDGRmL/nZqtc7eoPKY9VYtW
9zJiUq2vwp/mKsxIJEmewDEqXYnKp/1eY5x03et+mfeDYtPa10NAFrR06RWMMR7U
pWynMoyuwsfWJmfmO/G5A9m5iGZOvrVyA15LWP/WV+sGhIQ+fPAVLCwB58PH6PyJ
aCZCUZfL57AyF2mLCwIDAQAB
-----END PUBLIC KEY-----

By redirecting the output of this command to the Paris.pub file, the London Asterisk server can now use it in order to authenticate calls from Paris.

Conclusion

RSA authentication is the good approach when using IAX to interconnect Asterisk PBXs. For a small amount of site and a closed user group with centralized maintenance, the easiest way is probably through the embedded astgenkey, but for a more public voice network, using X.509 certificates is probably the most opened solution, even if a bit more complex.

1. we will not see this in the present article [↩]

Pages: 1 2 3