TLS for SIP and RTP has long been on my hit list. I've been traveling a lot more for work recently, so secure mobile VoIP has gone up in priority.

Step 1, create an SSL certificate.

openssl req -out certreq.pem -new -nodes -keyout key.pem

(Optional) Step 1a, sign the SSL cert with your own CA. Otherwise, get it signed by a trusted CA.

openssl ca -in certreq.pem -out cert.pem

Step 2, set up Asterisk. Add this to sip.conf:

tlsenable=yes
tlscertfile=/path/to/your/cert.pem
tlsprivatekey=/path/to/your/key.pem
tlscafile=/path/to/your/ca.pem

Step 2a, enable encryption for each peer:

[mysecurefriend]
encryption=yes

Step 3a, set up Kamailio. Add this to kamailio.cfg:

enable_tls=yes
loadmodule "tls.so"
modparam("tls", "config", "/etc/kamailio/tls.cfg")

Step 3b, create a tls.cfg:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/cert.pem
ca_list = /etc/kamailio/ca.pem

[client:default]
verify_certificate = yes
require_certificate = yes

Step 4, ensure that port 5061 is open in your firewall.

Step 5, enable TLS in your client. This part is left as an exercise to the reader.