How install custom device certificate with config files using 4.01B?

Dan1234 · ‎03-31-2012

I've been able to manually install a device certificate through the
Advanced->TLS menu area and specifying the URL of the device
certificate, but that's cumbersome for a large amount of phones.

In the example site.cfg file, I see the device.sec.TLS.customDeviceCert1.set
value to set a custom device cert, but when I manually add
device.sec.TLS.customDeviceCert1 and store the PEM encoded
certificate, the app.log file shows an error that
device.sec.TLS.customDeviceCert1 is an unknown parameter.

I've even tried storing the device certificate public key here:
sec.TLS.customDeviceCert.1 and the private key here:
sec.TLS.customDeviceKey.1 The parameters are accepted, but the
certificate still doesn't show up in Advanced->TLS->Custom device.
I've even turned on "Debug" level logging for TLS and Configuration,
and it shows no errors.

I've been able to store my custom CA certificate with no problem here:
device.sec.TLS.customCaCert1
and here:
sec.TLS.customCaCert.1

Does Polycom even support loading a device cert with config files?

Joao_Oliveira · ‎04-02-2012

I confess that I have already had the same question, but unfortunatly left unaswered by the Polycom reseller.

I would be very interested in this response.

Joao

SteffenBaierUK · ‎04-02-2012

Hello all,

I actually load for example a LYNC Certificate like this (shortened):

<LYNCCert>
<corprootca sec.TLS.profileSelection.SIP="ApplicationProfile1" sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gJL3W9Ng9w5w9yDrpHtwfufG6UevQDcZj2NywtJ1OEu9MSos4dNyypDnI=
-----END CERTIFICATE-----" />
</LYNCCert>

Another Option in UCS 4.x.x is to actually load a certificate via the Web Interface onto the Phone, Browse to Settings => Network => TLS:

Above shows my Phone that has already imported a Certificate. You can see in Platform CA 2 that I just specify a HTTP Hyperlink. This was used to enable SRTP for an Asterisk Server.

The Phone will then download the Certificate if Install is pressed.

Ticking the Box next to an installed Certificate will offer you the functionality to delete the existing certificate.

Once this is installed you can check the correct parameters when exporting the Phones configuration.

Any issues that a reseller cannot resolve should be logged by the reseller with Polycom Support.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a web service request or call us .

Above is necessary in order to track issue internally within Polycom.

Please ensure to always check the VoIP FAQ , PSTN FAQ or RPM FAQ

If you find my post helpful, and it answers your question, please mark it as an "Accepted Solution" and feel free to give me Kudos.

Dan1234 · ‎04-16-2012

Steffen, we all know how to add CA certs to the phones with config files, and I've been able to manually add device certificates through the phone and the phone's website, but this doesn't work for large numbers of phones. It has to be done with config files.

After 20+ hours of work, and figuring out UNDOCUMENTED settings that are NOWHERE to be found in the manual, here's my definitive guide to certificates on polycom phones with 4.x software. I leave it up to the reader to decide which code snippets to use in their own config files, as it's highly site-dependent on how you want to implement encryption.

CA certificate for Platform CA1:

    <device.sec.TLS 
        device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----"> 
      <device.sec.TLS.customCaCert1
           device.sec.TLS.customCaCert1.set="1"> 
      </device.sec.TLS.customCaCert1>

CA certificate for Application CA1:

      <sec.TLS.customCaCert sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----">

Device certificate loaded as Platform1:

      <device.sec.TLS.customDeviceCert1 
          device.sec.TLS.customDeviceCert1.publicCert="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----" 
          device.sec.TLS.customDeviceCert1.privateKey="-----BEGIN RSA PRIVATE KEY----- 
blah blah blah
-----END RSA PRIVATE KEY-----" 
          device.sec.TLS.customDeviceCert1.set="1"> 
      </device.sec.TLS.customDeviceCert1>

Device certificate loaded as Application1:

    <sec.TLS.customDeviceCert 
        sec.TLS.customDeviceCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----">
    </sec.TLS.customDeviceCert> 
    <sec.TLS.customDeviceKey 
        sec.TLS.customDeviceKey.1="-----BEGIN RSA PRIVATE KEY-----
blah blah blah
-----END RSA PRIVATE KEY-----">
    </sec.TLS.customDeviceKey>

TonyJ · ‎06-25-2012

Hello Everyone,

I am new here. I tried Dan1234's suggestion on how to install customdevice certificate using config files and somehow I could not get mine to install on a VVX500. I put it both as custom device credentials platform1 and application1 on the site.cfg of mt tftp config folder.

Any inputs/suggestion is appreciated.

Thanks.

TonyJ

How install custom device certificate with config files using 4.01B?

Re: How install custom device certificate with config files using 4.01B?

Re: How install custom device certificate with config files using 4.01B?

Re: How install custom device certificate with config files using 4.01B?

Re: How install custom device certificate with config files using 4.01B?