Search the Asterisk Blog

The Woes of TLS Certificates and WebRTC

By Joshua C. Colp

TLS certificates and their management are something we take for granted every day when we visit a website. If you sit down and try to explain to someone how it all fits together however it is quite easy to overwhelm them. It is complicated to understand how it all fits together but it’s the foundation of many things. This applies to WebRTC as well as websites as TLS certificates are also used there in different capacities and has required that WebRTC developers and users also learn about TLS certificates.



In order to use WebRTC you have to display a website with Javascript code that uses the WebRTC APIs that the browser makes available. For some time now browsers have required that these be communicated over an HTTPS connection which requires the use of TLS certificates. With the creation of Let’s Encrypt this has become easier to manage and deploy. Instead of having to go to a certificate authority directly and pay you can just get a certificate issued automatically for free.


Signaling has been left undefined by the WebRTC standards. What is very common across them though is the use of websockets for talking to the server in a bidirectional fashion. As websockets run over HTTPS they too require a TLS certificate to be in place.


DTLS is used by WebRTC to secure the underlying media that is flowing. TLS certificates are required on both sides and the result of the DTLS negotiation is used to key the RTP media. Browsers create ephemeral certificates in the background themselves which are used. Up until now Asterisk has not done this, it has required explicit configuration of TLS certificates.

Asterisk 15

While we do not have Let’s Encrypt support present within Asterisk we now have ephemeral DTLS certificate creation ourselves.  As of Asterisk 15 there is a new option, “dtls_auto_generate_cert”, in PJSIP which can be used to turn on ephemeral DTLS certificate support. This was contributed by community member Sean Bright and is a welcome addition by many. If enabled you no longer need to provide a certificate to the DTLS options. A certificate will be created in the background and used.

No Comments Yet

Get the conversation started!

Add to the Discussion

Your email address will not be published. Required fields are marked *

About the Author

Joshua C. Colp

Joshua Colp is a Senior Software Developer at Digium and a long time Asterisk developer. He originally started in the community submitting simple patches and grew into improving and creating new core components of Asterisk itself. He is a self-taught programmer who believes in finding the balance between doing things the way they should be done and doing what is right for the people using the software. In his spare time he enjoys smashing fax machines.

See All of Joshua C.'s Articles