How to configure TLS/sRTP for SIP Trunks

Dec 12, 2025 | IP PBX "How to"

Important Note About Certificate Usage:

For SIP Phones:

  • Self-signed certificates can be used if:
    • Server certificate validation is disabled in the telephone configuration, OR
    • The PBX’s CA (Certificate Authority) certificate is installed in the IP phone configuration

For PBX-to-PBX Trunks:

  • Self-signed certificates can be used by copying the CA certificate to the remote PBX

For Commercial SIP Provider Trunks:

  • Self-signed certificates will NOT work
  • You must use certificates from a trusted Certificate Authority
  • The provider will reject self-signed certificates
  • The tlscafile configuration shown here points to your own CA and cannot verify the provider’s certificate

Option A: Using Self-Signed Certificates (For SIP Phones and PBX-to-PBX Trunks)

      • Download the certificates generation script
        wget http://repo1.xorcom.com/~centos/ast_tls_cert -O /tmp/ast_tls_cert
        chmod +x /tmp/ast_tls_cert

         

      • Create keys/certificates folder
        mkdir /etc/asterisk/keys
      • Generate a self-signed CA certificate and the PBX server certificate
        /tmp/ast_tls_cert -C pbx.mycompany.com -O “myorganization” -d /etc/asterisk/keysWhere:
        pbx.mycompany.com — is the Common Name (CN) used in the PBX server certificate.
        myorganization — the organization name written in the PBX certificate.

         

        Files generated in /etc/asterisk/keys:

        ca.key — Certificate Authority private key
        ca.crt — Certificate Authority certificate
        asterisk.key — private key for PBX/SIP phones TLS negotiation
        asterisk.crt — PBX server certificate
        asterisk.pem — PBX and CA certificate chain

      • Generate a client certificate
        /tmp/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -O “myorganization” -d /etc/asterisk/keys -o usernameWhere:

         

        myorganization — organization name in the client certificate.
        username — user name to be written in the client certificate.
        The client + CA bundle will be generated as: username.pem.

        Change file ownership
        chown asterisk:asterisk /etc/asterisk/keys/*

      • Enable TLS in the PBX configurationGo to: SETTINGS → Technology Settings → SIP Settings. Then click the CUSTOM tab
        Define the following parameters there:

         

        tlsbindaddr=0.0.0.0:5061
        tlscertfile=/etc/asterisk/keys/asterisk.pem
        tlscafile=/etc/asterisk/keys/ca.crt
        tlscipher=ALL
        tlsclientmethod=tlsv1

      • Create a new SIP configuration profile for TLS
        Go to SETTINGS → Technology Settings → Profiles and define a new SIP profile.

      Pay attention to:
      Transport
      RTP Encryption → set to Yes if sRTP is required.

       

      • Configure the PBX trunk for TLS
        Example: For your Trunk, select the SIP-TLS profile.
      • Apply the configuration changes
        That’s all! If you have any issues, change the Profile in your SIP trunk configuration, and please contact Xorcom Support.