TLS, as SSL, depends on certificates issued by a Certification Authority that guarantee the identity of the certificate bearer. You can buy a TLS certificate from the same CAs that sell Web HTTPS certificates. You can then use that same certificate with WebSockets, WebRTC and mod_verto too (and for the HTTPS website with the same name as your SIP registrar, for example, https://pbx.freeswitch.org).

Also, you can use free and valid certificates from https://letsencrypt.org/, (see the automatic script in FreeSWITCH Confluence about verto_communicator demo installation on Debian 8).

The tool you use to generate the various certificates involved is (aptly named) gentls_cert:

/usr/local/freeswitch/bin/gentls_cert command -cn pbx.freeswitch.org -alt DNS:pbx.freeswitch.org -org freeswitch.org

(Instead of pbx.freeswitch.org and freeswitch.org, use the FQDN your clients will use as SIP registrar and SIP domain).You will use the same utility with the same arguments, but a different command: First of all, setup will create your CA. Then create_server will generate FreeSWITCH's agent certificate, and create_client will generate the (optional) client certificate. You will find them all in /usr/local/freeswitch/conf/ssl/ (maybe you'll need to copy into clients the cafile.pem too, so that they have the entire chain up to the CA).

Then, edit /usr/local/freeswitch/conf/vars.xml and modify the following line so that it reads true:

  <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=true"/>

Restart FreeSWITCH and it's set. Then, configure the clients to use TLS and to connect to FreeSWITCH's port 5061. That's it. Your signaling is encrypted. (Beware: clients behind NATs or firewalls can have problems in receiving incoming calls. In that case, use VPNs instead of TLS).