TLS certificates and their management are something we take for granted every day when we visit a website. If you sit down and try to explain to someone how it all fits together however it is quite easy to overwhelm them. It is complicated to understand how it all fits together but it’s the foundation of many things. This applies to WebRTC as well as websites as TLS certificates are also used there in different capacities and has required that WebRTC developers and users also learn about TLS certificates.
Signaling has been left undefined by the WebRTC standards. What is very common across them though is the use of websockets for talking to the server in a bidirectional fashion. As websockets run over HTTPS they too require a TLS certificate to be in place.
DTLS is used by WebRTC to secure the underlying media that is flowing. TLS certificates are required on both sides and the result of the DTLS negotiation is used to key the RTP media. Browsers create ephemeral certificates in the background themselves which are used. Up until now Asterisk has not done this, it has required explicit configuration of TLS certificates.
While we do not have Let’s Encrypt support present within Asterisk we now have ephemeral DTLS certificate creation ourselves. As of Asterisk 15 there is a new option, “dtls_auto_generate_cert”, in PJSIP which can be used to turn on ephemeral DTLS certificate support. This was contributed by community member Sean Bright and is a welcome addition by many. If enabled you no longer need to provide a certificate to the DTLS options. A certificate will be created in the background and used.