*** Setup SSL support for Media_Mgr *** * All commands are run from kazoo_apps/apps/media_mgr/priv/ssl/ * Create the root key (skip if you have a root key already that you want to use): $ openssl genrsa -out 2600hzCA.key 2048 Generating RSA private key, 2048 bit long modulus .............+++ ......................................................+++ e is 65537 (0x10001) Sign the root key (fill out a questionnaire): $ openssl req -x509 -new -nodes -key 2600hzCA.key -days 1024 -out 2600hzCA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:2600Hz Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:api.2600hz.com Email Address []: Create a certificate (cert): $ openssl genrsa -out media_mgr.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ......+++ e is 65537 (0x10001) Remove the need for a passphrase: $ openssl rsa -in media_mgr.key -out media_mgr.pem writing RSA key Now generate the certificate signing request (CSR): $ openssl req -new -key media_mgr.key -out media_mgr.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:2600Hz Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:api.2600hz.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Be sure, when answering the "Common Name" question to put either your FQDN or IP address that will show in the browser. Now let's sign the CSR: $ openssl x509 -req -in media_mgr.csr -CA 2600hzCA.pem -CAkey 2600hzCA.key -CAcreateserial -out media_mgr.crt -days 500 Signature ok subject=/C=US/ST=California/L=San Francisco/O=2600Hz/CN=thinky64.2600hz.com Getting CA Private Key And finally, generate the self-signed certificate: $ openssl x509 -req -days 60 -in media_mgr.csr -signkey media_mgr.key -out media_mgr.crt Signature ok subject=/C=US/ST=California/L=San Francisco/O=2600Hz/CN=thinky64.2600hz.com Getting Private key Now modify the "media_mgr" doc in the "system_config" database with the following values: "default":{ "ssl_port":"24518" ,"ssl_cert":"priv/ssl/media_mgr.crt" ,"ssl_key":"priv/ssl/media_mgr.key" } Start media_mgr. You can now test your new SSL-enabled APIs via: $ curl -v --cacert media_mgr.crt https://api.2600hz.com:8443/v1/accounts * About to connect() to api.2600hz.com port 8443 (#0) * Trying 127.0.0.1... connected * successfully set certificate verify locations: * CAfile: media_mgr.crt CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=2600Hz; CN=api.2600hz.com * start date: 2012-06-01 21:59:03 GMT * expire date: 2012-07-31 21:59:03 GMT * common name: api.2600hz.com (matched) * issuer: C=US; ST=California; L=San Francisco; O=2600Hz; CN=api.2600hz.com * SSL certificate verify ok. > GET /v1/accounts HTTP/1.1 > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: api.2600hz.com:8443 > Accept: */* > < HTTP/1.1 401 Unauthorized < Www-Authenticate: < Access-Control-Max-Age: 86400 < Access-Control-Expose-Headers: Content-Type, X-Auth-Token, X-Request-ID, Location, Etag, ETag < Access-Control-Allow-Headers: Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, X-Auth-Token, If-Match < Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD < Access-Control-Allow-Origin: * < X-Request-ID: 5ad53536debfff23f55641caecb3849d < Content-Length: 0 < Date: Fri, 01 Jun 2012 22:19:11 GMT < Server: Cowboy < Connection: keep-alive < * Connection #0 to host api.2600hz.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1):