FreeSwitch(CentOs7.0)+WebRTC(web)+座机呼叫完成版带SSL注册证书
前言
1.freeswitch的安装,CentOS7原本yum安装起来比较慢,提倡更换yum源会快许多,我的快了3个小时。yum源(CentOS-Base.repo)
[base]name=CentOS-$releasever - Basebaseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/os/$basearch/#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=osenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7#released updates[updates]name=CentOS-$releasever - Updatesbaseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/updates/$basearch/#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updatesenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7#additional packages that may be useful[extras]name=CentOS-$releasever - Extrasbaseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/extras/$basearch/#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extrasenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7
2.先安装依赖
3.下载源码
1. cd /usr/local/src
2.git clone -b v1.6 https://git.oschina.net/nwaycn/freeswitch.git freeswitch
4.编译与安装
cd /usr/local/src/freeswitch./bootstrap.sh -j./configure makemake -j installmake -j cd-sounds-installmake -j cd-moh-install
5.效果展示
输入freeswitch ,如果输入freeswitch
freeswitch启动成功
6.配置WebRTC 从网上下载sipml5软件包
git clone https://github.com/DoubangoTelecom/sipml5
需要在linux服务器上部署,咱们需要安装tomcat7 jdk1.7 配置环境变量,至于如何配置和安装,这里我就不详细说了,网上有诸多教程
环境配置好后,将将整个目录复制到Tomcat的webapps目录下
启动Freeswitch tomcat
打开网页:http://服务器IP:8080/sipml5/expert.htm
我的包名是sipml5-master
我的浏览器和tomcat都是下载了ssl证书的所以可以直接呼叫座机,你的如果用的http是点呼叫是没反应的。
需要先配置专家模式
专家模式配置好后就可以连接登录了,登录成功后就可以呼叫了,正常的话会显示通话中,座机注册1002后,拨打1002就可以听到声音了。
下面开始介绍三个证书的注册下载导入和配置
freeswitch使用自签证书,配置WSS
1.使用SSL-TOOLS生成自签证书
2.下载ssl.ca-0.1.tar.gz
3.解压ssl.ca-0.1.tar.gz
4.执行以下命令
5.生成根证书
执行完毕后,会在当前目录生成ca.key和ca.crt两个文件
6.为我们的服务器生成一个证书
执行完毕后,生成了server.csr和server.key这两个文件
7. 签署证书使证书生效
执行完毕后,生成了server.crt文件
以上操作执行完毕后,你会在当前目录看到如下三个文件
8.替换freeswitch的证书(wss.pem
开始替换证书 [请注意备份freeswitch的证书] 以下是笔者wss.pem所在目录,请根据自身fs所装目录确定证书位置,也可以使用find命令查找
9.修改freeswitch相关配置
修改internal.xm
修改vars.xml
10.WEB项目使用自签证书
11.下面将通过OpenSSL生成证书并让Chrome浏览器识别为安全终极办法
下载windows上适用的openssl
下载地址:http://slproweb.com/products/Win32OpenSSL.html
因我的电脑是64位的,所以我选择下载OpenSSL 1.0.2t Light(64-bit)
按照默认位置安装即可,无需多余设置
12.生成证书
以管理员身份运行cmd,生成证书
我的电脑只有一个盘,所以我先cd到了c盘,然后运行命令,换言之,在哪里运行命令,哪里就是输出路径
完整过程如下图所示
下面是完成代码块
c:\>openssl genrsa -out 136zhengshu.key 2048Generating RSA private key, 2048 bit long modulus................................................+++++.....+++++e is 65537 (0x10001) c:\>openssl req -new -key 136zhengshu.key -out 136zhengshu.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:BeijingLocality Name (eg, city) []:BeijingOrganization Name (eg, company) [Internet Widgits Pty Ltd]:EsriChinaOrganizational Unit Name (eg, section) []:EsrichinaCommon Name (e.g. server FQDN or YOUR name) []:192.168.100.136Email Address []:aoj@esrichina.com.cn Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:1234An optional company name []:esrichina c:\>echo subjectAltName=IP:192.168.100.136,DNS:win136.esrichina.com >cert_extensions c:\>openssl x509 -req -sha256 -in 136zhengshu.csr -signkey 136zhengshu.key -extfile cert_extensions -out 136zhengshu.crt -days 3650Signature oksubject=/C=CN/ST=Beijing/L=Beijing/O=EsriChina/OU=Esrichina/CN=192.168.100.136/emailAddress=aoj@esrichina.com.cnGetting Private key c:\>openssl pkcs12 -inkey 136zhengshu.key -in 136zhengshu.crt -export -out 136zhengshu.pfxEnter Export Password:Verifying - Enter Export Password:
生成的文件如下:
13.在客户端浏览器中导入证书cer格式(必须)
14.tomcat导入证书和配置
从证书发布者那边下载tomcat版本的证书,一般为zip压缩文件,解压后有两个文件(*.pfx结尾的证书,*password.txt的证书密码)
把pfx文件上传到linux服务器上
切换root用户,把证书文件保存在一个固定的地方,我保存在usr/local/tomcat/conf目录下
修改配置文件serverxml
在msslProtocol="TLS" 后面加上keystoreFile="/usr/local/tomcat/tomcat7/conf/136zhengshu.pfx" keystorePass="1234"
重新TOMcat 浏览器访问https://192.168.0.161:8443/sipml5-master/call.htm#就可以正常通话了
FreeSwitch(CentOs7.0)+WebRTC(web)+座机呼叫完成版带SSL注册证书
前言
提示:最近公司让搭建Freeswitch+web端通话呼叫座机,网上找了好多资料,比较乱,搭建了4天终于搭建好,并且通过了ssl认证呼叫了座机而且能听到声音
例如:本人郑重承若为广大朋友们少走弯路,直接上干活,本人接触运维已2年,希望有问题的同道中人想咨询可以加我微信Z958726169
1.freeswitch的安装,CentOS7原本yum安装起来比较慢,提倡更换yum源会快许多,我的快了3个小时。yum源(CentOS-Base.repo)
[base]
name=CentOS-$releasever - Base
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/os/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/updates/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/extras/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-7
2.先安装依赖
1.yum install -y http://files.freeswitch.org/freeswitch-release-1-6.noarch.rpm epel-release
2.yum install -y git alsa-lib-devel autoconf automake bison broadvoice-devel bzip2 curl-devel libdb4-devel e2fsprogs-devel erlang flite-devel g722_1-devel gcc-c++ gdbm-devel gnutls-devel ilbc2-devel ldns-devel libcodec2-devel libcurl-devel libedit-devel libidn-devel libjpeg-devel libmemcached-devel libogg-devel libsilk-devel libsndfile-devel libtheora-devel libtiff-devel libtool libuuid-devel libvorbis-devel libxml2-devel lua-devel lzo-devel mongo-c-driver-devel ncurses-devel net-snmp-devel openssl-devel opus-devel pcre-devel perl perl-ExtUtils-Embed pkgconfig portaudio-devel postgresql-devel python-devel python-devel soundtouch-devel speex-devel sqlite-devel unbound-devel unixODBC-devel wget which yasm zlib-devel libshout-devel libmpg123-devel lame-devel
3.下载源码
1. cd /usr/local/src
2.git clone -b v1.6 https://git.oschina.net/nwaycn/freeswitch.git freeswitch
4.编译与安装
cd /usr/local/src/freeswitch
./bootstrap.sh -j
./configure
make
make -j install
make -j cd-sounds-install
make -j cd-moh-install
5.效果展示
输入freeswitch ,如果输入freeswitch
freeswitch启动成功
6.配置WebRTC 从网上下载sipml5软件包
git clone https://github.com/DoubangoTelecom/sipml5
需要在linux服务器上部署,咱们需要安装tomcat7 jdk1.7 配置环境变量,至于如何配置和安装,这里我就不详细说了,网上有诸多教程
环境配置好后,将将整个目录复制到Tomcat的webapps目录下
启动Freeswitch tomcat
打开网页:http://服务器IP:8080/sipml5/expert.htm
我的包名是sipml5-master
我的浏览器和tomcat都是下载了ssl证书的所以可以直接呼叫座机,你的如果用的http是点呼叫是没反应的。
需要先配置专家模式
专家模式配置好后就可以连接登录了,登录成功后就可以呼叫了,正常的话会显示通话中,座机注册1002后,拨打1002就可以听到声音了。
下面开始介绍三个证书的注册下载导入和配置
freeswitch使用自签证书,配置WSS
1.使用SSL-TOOLS生成自签证书
2.下载ssl.ca-0.1.tar.gz
[root@localhost ~]# wget http://files.freeswitch.org/downloads/ssl.ca-0.1.tar.gz
3.解压ssl.ca-0.1.tar.gz
tar zxfv ssl.ca-0.1.tar.gz
4.执行以下命令
1.[root@localhost software]# cd ssl.ca-0.1/
2.[root@localhost ssl.ca-0.1]# perl -i -pe 's/md5/sha1/g' *.sh
3.[root@localhost ssl.ca-0.1]# perl -i -pe 's/2048/2048/g' *.sh
5.生成根证书
[root@localhost ssl.ca-0.1]# ./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
.....................++++++
...............................................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: 根证书密码
Verifying - Enter pass phrase for ca.key:Self-sign the root CA...
Enter pass phrase for ca.key: 根证书密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN 国籍
State or Province Name (full name) [Perak]:JIANGSU 省份
Locality Name (eg, city) [Sitiawan]:NANJING 市
Organization Name (eg, company) [My Directory Sdn Bhd]:HY 公司名称
Organizational Unit Name (eg, section) [Certification Services Division]:HY 组织名称
Common Name (eg, MD Root CA) []:HY 常用名
Email Address []:HY@163.com 邮箱地址
[root@localhost ssl.ca-0.1]#
执行完毕后,会在当前目录生成ca.key和ca.crt两个文件
6.为我们的服务器生成一个证书
[root@localhost ssl.ca-0.1]# ./new-server-cert.sh server
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JIANGSU
Locality Name (eg, city) [Sitiawan]:NANJING
Organization Name (eg, company) [My Directory Sdn Bhd]:HY
Organizational Unit Name (eg, section) [Secure Web Server]:HY
Common Name (eg, www.domain.com) []:localhost 此处可更换为域名
Email Address []:HY@163.comYou may now run ./sign-server-cert.sh to get it signed
执行完毕后,生成了server.csr和server.key这两个文件
7. 签署证书使证书生效
[root@localhost ssl.ca-0.1]# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JIANGSU'
localityName :PRINTABLE:'NANJING'
organizationName :PRINTABLE:'HY'
organizationalUnitName:PRINTABLE:'HY'
commonName :PRINTABLE:'localhost'
emailAddress :IA5STRING:'HY@163.com'
Certificate is to be certified until Nov 9 06:26:54 2019 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
执行完毕后,生成了server.crt文件
以上操作执行完毕后,你会在当前目录看到如下三个文件
[root@254 ssl.ca-0.1]# ll
总用量 96
-rw-r--r-- 1 root root 932 6月 25 09:44 ca.crt
drwxr-xr-x 2 root root 20 6月 25 09:45 ca.db.certs
-rw-r--r-- 1 root root 97 6月 25 09:45 ca.db.index
-rw-r--r-- 1 root root 21 6月 25 09:45 ca.db.index.attr
-rw-r--r-- 1 root root 3 6月 25 09:45 ca.db.serial
-rw-r--r-- 1 root root 963 6月 25 09:43 ca.key
-rw-r--r-- 1 500 500 17992 4月 24 2000 COPYING
-rwxr-xr-x 1 500 500 1460 6月 25 09:43 new-root-ca.sh
-rwxr-xr-x 1 500 500 1539 6月 25 09:43 new-server-cert.sh
-rwxr-xr-x 1 500 500 1049 6月 25 09:43 new-user-cert.sh
-rwxr-xr-x 1 500 500 984 6月 25 09:43 p12.sh
-rw-r--r-- 1 500 500 1024 4月 23 2000 random-bits
-rw-r--r-- 1 500 500 11503 4月 24 2000 README
-rw-r--r-- 1 root root 3092 6月 25 09:45 server.crt ---------->-rw-r--r-- 1 -rw-r--r-- 1 root root 737 6月 25 09:45 server.csr ---> 后续操主要使用到这三个文件
-rw-r--r-- 1 root root 891 6月 25 09:44 server.key ---------->
-rwxr-xr-x 1 500 500 2080 6月 25 09:43 sign-server-cert.sh
-rwxr-xr-x 1 500 500 1916 6月 25 09:43 sign-user-cert.sh
-rw-r--r-- 1 500 500 50 4月 24 2000 VERSION
8.替换freeswitch的证书(wss.pem
开始替换证书 [请注意备份freeswitch的证书] 以下是笔者wss.pem所在目录,请根据自身fs所装目录确定证书位置,也可以使用find命令查找
[root@izwz9ixh3287isfn0r8cm6z ~]# find / -name wss.pem
/usr/local/freeswitch/certs/wss.pem ----->wss.pem所在位置
[root@localhost ssl.ca-0.1]# cd /usr/local/server/software/ssl.ca-0.1
[root@localhost ssl.ca-0.1]# cat server.crt server.key > /usr/local/freeswitch/certs/wss.pem
[root@localhost ssl.ca-0.1]# cat /usr/local/freeswitch/certs/wss.pemCertificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=CN, ST=JIANGSU, L=NANJING, O=HY, OU=HY, CN=HY/emailAddress=HY@163,\x08\x1B[D\x1B[3~ValidityNot Before: Nov 9 06:26:54 2018 GMTNot After : Nov 9 06:26:54 2019 GMTSubject: C=CN, ST=JIANGSU, L=NANJING, O=HY, OU=HY, CN=localhost/emailAddress=HY@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:ca:87:6e:7a:b5:0b:40:b4:a5:5f:4c:03:7a:f9:f9:2e:d9:a8:bd:e2:d8:2d:45:dd:a1:58:d8:d4:98:31:e1:aa:bd:43:8d:77:cc:c8:f9:62:56:62:ac:0c:1c:4a:58:b3:46:58:5c:b6:27:a4:17:02:7a:0a:77:06:ba:a5:e9:fb:60:eb:16:45:45:e4:8c:13:ab:48:6f:e4:35:b0:2c:b3:46:91:43:8f:93:f9:9a:ec:bc:b5:46:8f:d2:bd:26:47:07:e1:f4:40:27:76:a1:e3:cf:ce:75:05:1f:d2:6a:37:fc:39:77:74:97:1e:e9:72:2c:5e:91:3c:9e:74:2d:91Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Authority Key Identifier: keyid:DD:66:29:32:E6:2E:98:ED:9A:39:89:C2:EF:07:5C:E3:6E:F9:63:B5X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated CryptoX509v3 Basic Constraints: criticalCA:FALSESignature Algorithm: sha1WithRSAEncryption2a:a5:a6:35:68:a3:b0:e4:3a:77:88:28:e6:39:ca:ba:2e:95:28:b3:7d:b3:53:35:1d:f3:4a:1a:02:f1:c4:03:52:c3:02:e6:5d:d5:29:08:17:41:f0:83:e4:c3:f8:a7:58:88:20:0c:93:ff:78:b4:0b:e6:31:53:13:cb:f3:6c:3c:1b:ea:35:67:1e:1f:89:be:f8:10:cc:ec:0b:a7:75:01:89:72:a8:51:95:03:34:3f:17:7a:f1:fd:54:8d:55:8f:10:91:69:a1:55:c2:c8:76:48:a1:f2:d9:dc:47:47:a7:9e:3a:00:a4:c6:ad:44:67:59:96:21:38:0d:dd:0a-----BEGIN CERTIFICATE-----MIICzzCCAjigAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHSklBTkdTVTEQMA4GA1UEBxMHTkFOSklORzELMAkGA1UEChMCSFkxCzAJBgNVBAsTAkhZMQswCQYDVQQDEwJIWTEeMBwGCSqGSIb3DQEJARYPSFlAMTYzLAgbW0QbWzN+MB4XDTE4MTEwOTA2MjY1NFoXDTE5MTEwOTA2MjY1NFowejELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0pJQU5HU1UxEDAOBgNVBAcTB05BTkpJTkcxCzAJBgNVBAoTAkhZMQswCQYDVQQLEwJIWTESMBAGA1UEAxMJbG9jYWxob3N0MRkwFwYJKoZIhvcNAQkBFgpIWUAxNjMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKh256tQtAtKVfTAN6+fku2ai94tgtRd2hWNjUmDHhqr1DjXfMyPliVmKsDBxKWLNGWFy2J6QXAnoKdwa6pen7YOsWRUXkjBOrSG/kNbAss0aRQ4+T+ZrsvLVGj9K9JkcH4fRAJ3ah48/OdQUf0mo3/Dl3dJce6XIsXpE8nnQtkQIDAQABo2cwZTAfBgNVHSMEGDAWgBTdZiky5i6Y7Zo5icLvB1zjbvljtTA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBACqlpjVoo7DkOneIKOY5yroulSizfbNTNR3zShoC8cQDUsMC5l3VKQgXQfCD5MP4p1iIIAyT/3i0C+YxUxPL82w8G+o1Zx4fib74EMzsC6d1AYlyqFGVAzQ/F3rx/VSNVY8QkWmhVcLIdkih8tncR0ennjoApMatRGdZliE4Dd0K-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIICXQIBAAKBgQDKh256tQtAtKVfTAN6+fku2ai94tgtRd2hWNjUmDHhqr1DjXfMyPliVmKsDBxKWLNGWFy2J6QXAnoKdwa6pen7YOsWRUXkjBOrSG/kNbAss0aRQ4+T+ZrsvLVGj9K9JkcH4fRAJ3ah48/OdQUf0mo3/Dl3dJce6XIsXpE8nnQtkQIDAQABAoGAbTYSsUCnTMEc3AKVbd8WK9lbUOneQKuIE9VhN2LKozH61U6X52oIcKq8kqIFL2IdajWD6QX/ShkfzjzY+BU30kyiVhP+iJctfpWr7wlEp8GchteX2RumBRxAsBg2rw6cXdQ9PHo6ykf0nQpwVeiiq2x4ccs4AEWqWkkYVtc9cAECQQDjv0x8USMOr83frD8Egx/c3Os8fDjn7Bq+YKRxuU/qdgqsSAISIMiEWh8h3l+eHDJDmZAF5u2D9FC9mYT8PYtRAkEA46dDSsM7b5yOt6WQO+YyfU968KEDP1rX41davnWh7lbwvuiJIlnJPhZ2rysJY8qs2+r+GAJQTSl7LDwSRcduQQJBANRTJZCE6EUp+6p64ClpwcvcHmc+fKMjyG8SlFz94hZ5REwHuf6Cl85kYr/lnIlASlAhm1cVSvwJSzjoJkYvbnECQQDDDnio4VjWy+S408IeoKGYHvauoLcgnJyn7RwSXsYNai7C1IlThmzYpvSwKAbWmzy6/cETH0BgrO8duqbJZRRBAkAOSOOGHC137WzOwx20iTpqciX8Ir2mOvGMWW8Wd/9pyglapIxq3Hd0cGdIxbqHZpSmN7mkUbgfgvYVlH9fW8lz-----END RSA PRIVATE KEY-----
9.修改freeswitch相关配置
修改internal.xm
[root@254 ssl.ca-0.1]# vim /usr/local/freeswitch/conf/sip_profiles/internal.xml设置wss-binding,默认为7443,可修改<param name="wss-binding" value=":7443"/>执行此命令可以看到wss所绑定的端口[root@254 ssl.ca-0.1]# fs_cli -x 'sofia status profile internal' | grep WSS-BIND-URLWSS-BIND-URL sips:mod_sofia@192.168.0.254:7443;transport=wss
修改vars.xml
[root@254 ssl.ca-0.1]# vim /usr/local/freeswitch/conf/vars.xml设置以下参数<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/><X-PRE-PROCESS cmd="set" data="external_ssl_enable=true"/>
修改完成后,请重启freeswitch,然后执行以下命令[root@localhost ssl.ca-0.1]# fs_cli... ...+OK log level [7]freeswitch@localhost.localdomain> reloadxml
10.WEB项目使用自签证书
[root@localhost ssl.ca-0.1]# openssl pkcs12 -export -in /usr/local/server/software/ssl.ca-0.1/server.crt -inkey /usr/local/server/software/ssl.ca-0.1/server.key -out /usr/local/server/software/ssl.ca-0.1/tomcat.p12
11.下面将通过OpenSSL生成证书并让Chrome浏览器识别为安全终极办法
下载windows上适用的openssl
下载地址:http://slproweb.com/products/Win32OpenSSL.html
因我的电脑是64位的,所以我选择下载OpenSSL 1.0.2t Light(64-bit)
按照默认位置安装即可,无需多余设置
12.生成证书
以管理员身份运行cmd,生成证书
我的电脑只有一个盘,所以我先cd到了c盘,然后运行命令,换言之,在哪里运行命令,哪里就是输出路径
完整过程如下图所示
下面是完成代码块
c:\>openssl genrsa -out 136zhengshu.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++++
.....+++++
e is 65537 (0x10001)
c:\>openssl req -new -key 136zhengshu.key -out 136zhengshu.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EsriChina
Organizational Unit Name (eg, section) []:Esrichina
Common Name (e.g. server FQDN or YOUR name) []:192.168.100.136
Email Address []:aoj@esrichina.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:esrichina
c:\>echo subjectAltName=IP:192.168.100.136,DNS:win136.esrichina.com >cert_extensions
c:\>openssl x509 -req -sha256 -in 136zhengshu.csr -signkey 136zhengshu.key -extfile cert_extensions -out 136zhengshu.crt -days 3650
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=EsriChina/OU=Esrichina/CN=192.168.100.136/emailAddress=aoj@esrichina.com.cn
Getting Private key
c:\>openssl pkcs12 -inkey 136zhengshu.key -in 136zhengshu.crt -export -out 136zhengshu.pfx
Enter Export Password:
Verifying - Enter Export Password:
生成的文件如下:
13.在客户端浏览器中导入证书cer格式(必须)
14.tomcat导入证书和配置
从证书发布者那边下载tomcat版本的证书,一般为zip压缩文件,解压后有两个文件(*.pfx结尾的证书,*password.txt的证书密码)
把pfx文件上传到linux服务器上
切换root用户,把证书文件保存在一个固定的地方,我保存在usr/local/tomcat/conf目录下
修改配置文件serverxml
在msslProtocol="TLS" 后面加上keystoreFile="/usr/local/tomcat/tomcat7/conf/136zhengshu.pfx" keystorePass="1234"
重新TOMcat 浏览器访问https://192.168.0.161:8443/sipml5-master/call.htm#就可以正常通话了