Polycom 1725-31424-001 manual Deployment Guide Polycom CX700

Page 54

Deployment Guide Polycom CX700

Making the Root CA Certificate Available to a Polycom CX700 Phone

Communication between the Polycom CX700 phone and Microsoft Office Communications Server 2007 R2 is by default encrypted using TLS and SRTP. Therefore, the device needs to trust certificates presented by Microsoft Office Communications Server 2007 R2 servers. If the servers use public certificates, they will most like be automatically trusted by the phone, since it contains the same list of trusted certificate authorities (CAs) as Windows CE. However, since most Microsoft Office Communications Server 2007 R2 deployments use internal certificates for the internal Microsoft Office Communications Server 2007 R2 server roles, there is a need to install the Root CA certificate from the internal CA to the phone. It is not possible to manually install the Root CA certificate on the phone, so it needs to come via the network.

The Polycom CX700 phone is able to download the certificate using two methods:

The device will search for AD objects of category certificationAuthority. If the search returns any objects, it will use the attribute caCertificate. That attribute is assumed to hold the certificate and the device will install the certificate. To get the Root CA certificate placed in the caCertificate attribute, use the command certutil -f -dspublish <Root CA certificate in

.cer file> RootCA. This command will publish the certificate as required by Polycom CX700 phone.

If the search for AD objects of category certificationAuthority does not return any or if the objects have empty caCertificate attributes, the phone will search for AD objects of category pKIEnrollmentService in the configuration naming context. Such objects exists if Certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects, it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewa l=-1&Enc=b64.

If neither of these methods succeeds, the error message “Cannot validate server certificate” appears on the screen and the user will not be able to use the phone.

48

Page 53 Page 55
Image 54
Page 53 Page 55
Contents Deployment Guide for the Polycom CX700 IP Phone Trademark Information About This Guide Deployment Guide for the Polycom CX700 IP Phone Contents Deployment Guide for the Polycom CX700 IP Phone Page Dhcp and the Polycom CX700 IP Phone Dhcp Search OptionsDNS and the Polycom CX700 IP Phone Polycom CX700 Phone QueryingExchange Server 2007 Autodiscover Service NTP and the Polycom CX700 IP Phone Polycom CX700 Phone Querying of Exchange ServerNTP Time Provider Server Security Framework Overview Root CA Certificate for the Polycom CX700 Phone Polycom CX700 Phone Certificates Trusted Authorities Cache Vendor Certificate Name Expiry Date Key Length Polycom CX700 Phone on Introduction Assumptions and TerminologyPage Deployment Guide for the Polycom CX700 IP Phone Background \Pool01Data\ClientUpdateStore\DeviceUpdates Page Action Examples / Comments Contoso.com\userAlias instead of just Contoso\userAlias Spnego Polycom CX700 Phone Upgrade Steps Summary Deployment Guide for the Polycom CX700 IP Phone Polycom CX700 Phone Upgrade Steps Details Set Environmental DependenciesConfigure Dhcp DNS Configure Certificates Upload certificate chain Use the Automated Method Page Verify Internal and External Download URLs ?xml version=1.0 ? Response Upgrade Polycom CX700 Phones from 1.0.199.123 to Cab File Deployment Guide for the Polycom CX700 IP Phone Upgrade Polycom CX700 Phones from 1.0.522.101 to Phone will reset and go to the calibration screen Page Deployment Guide for the Polycom CX700 IP Phone Troubleshooting the Polycom CX700 Phone Logs Used for Troubleshooting When to Use Dhcp Option Internal ExternalDeployment Guide Polycom CX700 Configuring Windows Server as an NTP Time Source Net stop w32time && net start w32time Enabling Automatic Certificate Enrollment For Windows Select CN=Configuration,DC=yourDomain,DC=com Deployment Guide Polycom CX700 Confirming the Current Software Version Deployment Guide Polycom CX700
Top Page Image Contents