Security Guide
SIP TLS Certificate Setup
8 min read · Updated April 2026
TLS for SIP requires a properly configured certificate on your SBC or PBX. Certificate errors are one of the most common reasons TLS-encrypted SIP fails silently. Here's how to set it up correctly and fix the most common certificate problems.
1. Certificate requirements for SIP TLS
SIP TLS uses standard X.509 certificates — the same format as HTTPS. Requirements vary by use case:
- CN or SAN must match the FQDN your SIP clients use to connect. If clients connect to sip.example.com, the cert must have sip.example.com in the CN or Subject Alternative Name.
- Trusted CA — for connections to carriers, Microsoft Teams, or external parties, the certificate must be from a publicly trusted CA. Internal CA certificates only work for internal endpoints you control.
- Full chain — your server must present the full certificate chain including intermediates. Missing intermediates cause TLS failures even with a valid end-entity certificate.
- TLS 1.2 minimum — TLS 1.0 and 1.1 are deprecated and rejected by most modern SIP peers. Configure your SBC/PBX to use TLS 1.2 or 1.3 only.
- Key size — RSA 2048-bit minimum, RSA 4096 or ECDSA P-256 preferred.
2. Using Let's Encrypt for SIP TLS
Let's Encrypt provides free, publicly trusted certificates — ideal for SIP TLS. The certificate is valid for 90 days and must be renewed automatically.
; Install certbot
apt-get install certbot
; Get certificate (standalone mode — temporarily uses port 80)
certbot certonly --standalone -d sip.example.com
; Certificates are saved to:
; /etc/letsencrypt/live/sip.example.com/fullchain.pem (cert + chain)
; /etc/letsencrypt/live/sip.example.com/privkey.pem (private key)
; /etc/letsencrypt/live/sip.example.com/cert.pem (cert only)
; /etc/letsencrypt/live/sip.example.com/chain.pem (chain only)
; Auto-renewal (test first)
certbot renew --dry-run
; Add to crontab for auto-renewal
0 3 * * * certbot renew --quiet --post-hook "systemctl reload asterisk"
Important: Use fullchain.pem (not cert.pem) as your certificate file. fullchain.pem includes the intermediate certificates that clients need to validate the chain.
3. Asterisk TLS configuration
; In sip.conf (chan_sip)
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0:5061
tlscertfile=/etc/letsencrypt/live/sip.example.com/fullchain.pem
tlsprivatekey=/etc/letsencrypt/live/sip.example.com/privkey.pem
tlscafile=/etc/ssl/certs/ca-certificates.crt
tlsclientmethod=tlsv1_2
; For a TLS peer
[mytrunk]
type=peer
host=sip.provider.com
transport=tls
tlspeer=sip.provider.com
; In pjsip.conf (PJSIP)
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/letsencrypt/live/sip.example.com/fullchain.pem
priv_key_file=/etc/letsencrypt/live/sip.example.com/privkey.pem
ca_list_file=/etc/ssl/certs/ca-certificates.crt
method=tlsv1_2
verify_server=yes
verify_client=no
4. SBC TLS configuration
Most SBC platforms (AudioCodes, Ribbon, Oracle, Cisco) have a certificate management section in the web UI. General steps:
- Generate a CSR on the SBC with the correct FQDN as the Common Name
- Submit the CSR to your CA (or use the PKCS#12 import if using Let's Encrypt)
- Import the signed certificate and full chain
- Import the CA root certificate to the SBC's trusted CA store
- Assign the certificate to the TLS context used by your SIP interfaces
- Set TLS version to 1.2 minimum in the TLS context settings
For Let's Encrypt on SBCs that require PKCS#12:
; Convert Let's Encrypt PEM to PKCS#12
openssl pkcs12 -export -in /etc/letsencrypt/live/sip.example.com/fullchain.pem -inkey /etc/letsencrypt/live/sip.example.com/privkey.pem -out sip-cert.p12 -passout pass:yourpassword
5. Common certificate errors
Error 01
SSL_ERROR_RX_RECORD_TOO_LONG / TLS handshake failure
The remote peer is sending plain SIP (UDP/TCP) to your TLS port, or vice versa. Check that both sides have TLS configured and are using port 5061 (not 5060). Also check for firewalls that strip TLS and pass plaintext.
Error 02
Certificate verify failed — unable to get local issuer
Missing intermediate certificate. The server presented only the end-entity certificate without the intermediate chain. Use fullchain.pem instead of cert.pem. For SBCs, ensure intermediate certificates are included in the certificate bundle you import.
Error 03
Certificate hostname mismatch
The CN/SAN in the certificate does not match the hostname the client is connecting to. Check that the certificate Subject Alternative Name includes exactly the FQDN your SIP clients use. Wildcard certificates (*.example.com) work for subdomains but not the root domain.
Error 04
Certificate expired
Let's Encrypt certificates expire after 90 days. Check expiry with: openssl x509 -enddate -noout -in cert.pem. Set up automatic renewal with certbot renew in cron and reload Asterisk/SBC after renewal.
6. Testing TLS configuration
; Test TLS connection to your SIP server
openssl s_client -connect sip.example.com:5061 -tls1_2
; Check certificate details
openssl s_client -connect sip.example.com:5061 | openssl x509 -noout -text
; Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt sip.example.com.crt
; Check expiry
openssl x509 -enddate -noout -in /etc/letsencrypt/live/sip.example.com/cert.pem
; Test with SIP OPTIONS via TLS
sipsak -T -s sips:sip.example.com
Frequently asked questions
What certificate do I need for SIP TLS?
For SIP TLS you need an X.509 certificate where the CN or Subject Alternative Name matches the FQDN your SIP clients connect to. For connections to carriers or Microsoft Teams, the certificate must be from a publicly trusted CA. You must present the full certificate chain including intermediates. TLS 1.2 minimum is required.
Can I use Let's Encrypt for SIP TLS?
Yes — Let's Encrypt certificates work for SIP TLS. Use certbot to obtain a certificate for your SIP server FQDN. Use fullchain.pem (not cert.pem) to include the intermediate chain. Set up automatic renewal since Let's Encrypt certificates expire after 90 days. Add a post-hook to reload Asterisk or your SBC after renewal.
How do I fix SIP TLS certificate errors?
Common fixes: use fullchain.pem instead of cert.pem to include intermediate certificates, verify the certificate CN/SAN matches the FQDN exactly, ensure both sides are using port 5061 with TLS (not port 5060), check certificate expiry with openssl x509 -enddate, and confirm TLS 1.0/1.1 are disabled if your peer requires TLS 1.2+.
Having SIP TLS certificate issues?
Paste your SIP trace into SIPSymposium. The analyzer detects TLS handshake failures, identifies certificate chain issues, and checks for hostname mismatches in SIP TLS connections.