Chapter 9. TLS certificate creation

Table of Contents

Certificate Common Name
Install the OpenSSL utility
Install the Let's Encrypt certbot utility
Install a TLS certificate using Let's Encrypt (certbot)
Install a TLS certificate manually

Certificates are an essential security mechanism for most federated and distributed technologies on the Internet.

Certificates may be referred to as X.509 certificates, SSL certificates or TLS certificates. For most purposes, these terms all refer to the same thing and the term TLS certificate is used throughout this documentation.

The prices of TLS certificates vary significantly. It is not necessarily useful to purchase the most expensive one.

The free TLS certificates from the Let's Encrypt Project, which is supported by the EFF and Linux Foundation, are a good choice for the vast majority of RTC projects, including WebRTC. Let's Encrypt is not just a new Certificate Authority, they also promote the use of an automated tool for the acquisition and renewal of certificates. This dramatically reduces the amount of manual effort involved in using certificates, especially for people who host multiple sites and domains. That said, the initial version of the Let's Encrypt tool has been designed for use with web servers and some manual tweaking is required to use it with SIP, XMPP, WebSocket and TURN servers. Early versions of the tool also failed to operate correctly on some servers with IPv6 addresses and some Apache configurations, although most of these issues were resolved by mid-2016.

You do need to make sure that the certificate issued by the Certificate Authority (CA) includes both the TLS client and TLS server Extended Key Usage (EKU) extensions, some only include the latter. The free certificates from StartSSL/StartCom do not have the TLS client extension and can't be used. The SSL Standard certificate which costs about $16 (free with a domain registration or transfer) is known to be suitable.

If you are using some older IP desk phones, the phones may not have support for the Let's Encrypt root certificate in their firmware. If this is the case, you may need to update the firmware, obtain a newer model phone or use certificates from a more established Certificate Authority. For example, some older Polycom phones do not work with Let's Encrypt but they work fine with the low cost certificates.