I've been able to manually install a device certificate through the
Advanced->TLS menu area and specifying the URL of the device
certificate, but that's cumbersome for a large amount of phones.
In the example site.cfg file, I see the device.sec.TLS.customDeviceCert1.set
value to set a custom device cert, but when I manually add
device.sec.TLS.customDeviceCert1 and store the PEM encoded
certificate, the app.log file shows an error that
device.sec.TLS.customDeviceCert1 is an unknown parameter.
I've even tried storing the device certificate public key here:
sec.TLS.customDeviceCert.1 and the private key here:
sec.TLS.customDeviceKey.1 The parameters are accepted, but the
certificate still doesn't show up in Advanced->TLS->Custom device.
I've even turned on "Debug" level logging for TLS and Configuration,
and it shows no errors.
I've been able to store my custom CA certificate with no problem here:
Does Polycom even support loading a device cert with config files?
Solved! Go to Solution.
I confess that I have already had the same question, but unfortunatly left unaswered by the Polycom reseller.
I would be very interested in this response.
I actually load for example a LYNC Certificate like this (shortened):
<LYNCCert> <corprootca sec.TLS.profileSelection.SIP="ApplicationProfile1" sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE----- MIIDtTCCAp2gJL3W9Ng9w5w9yDrpHtwfufG6UevQDcZj2NywtJ1OEu9MSos4dNyypDnI= -----END CERTIFICATE-----" /> </LYNCCert>
Another Option in UCS 4.x.x is to actually load a certificate via the Web Interface onto the Phone, Browse to Settings => Network => TLS:
Above shows my Phone that has already imported a Certificate. You can see in Platform CA 2 that I just specify a HTTP Hyperlink. This was used to enable SRTP for an Asterisk Server.
The Phone will then download the Certificate if Install is pressed.
Ticking the Box next to an installed Certificate will offer you the functionality to delete the existing certificate.
Once this is installed you can check the correct parameters when exporting the Phones configuration.
Any issues that a reseller cannot resolve should be logged by the reseller with Polycom Support.
Polycom Global Services
Steffen, we all know how to add CA certs to the phones with config files, and I've been able to manually add device certificates through the phone and the phone's website, but this doesn't work for large numbers of phones. It has to be done with config files.
After 20+ hours of work, and figuring out UNDOCUMENTED settings that are NOWHERE to be found in the manual, here's my definitive guide to certificates on polycom phones with 4.x software. I leave it up to the reader to decide which code snippets to use in their own config files, as it's highly site-dependent on how you want to implement encryption.
CA certificate for Platform CA1:
<device.sec.TLS device.set="1" device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- blah blah blah -----END CERTIFICATE-----"> <device.sec.TLS.customCaCert1 device.sec.TLS.customCaCert1.set="1"> </device.sec.TLS.customCaCert1>
CA certificate for Application CA1:
<sec.TLS.customCaCert sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE----- blah blah blah -----END CERTIFICATE-----">
Device certificate loaded as Platform1:
<device.sec.TLS.customDeviceCert1 device.set="1" device.sec.TLS.customDeviceCert1.publicCert="-----BEGIN CERTIFICATE----- blah blah blah -----END CERTIFICATE-----" device.sec.TLS.customDeviceCert1.privateKey="-----BEGIN RSA PRIVATE KEY----- blah blah blah -----END RSA PRIVATE KEY-----" device.sec.TLS.customDeviceCert1.set="1"> </device.sec.TLS.customDeviceCert1>
Device certificate loaded as Application1:
<sec.TLS.customDeviceCert sec.TLS.customDeviceCert.1="-----BEGIN CERTIFICATE----- blah blah blah -----END CERTIFICATE-----"> </sec.TLS.customDeviceCert> <sec.TLS.customDeviceKey sec.TLS.customDeviceKey.1="-----BEGIN RSA PRIVATE KEY----- blah blah blah -----END RSA PRIVATE KEY-----"> </sec.TLS.customDeviceKey>
I am new here. I tried Dan1234's suggestion on how to install customdevice certificate using config files and somehow I could not get mine to install on a VVX500. I put it both as custom device credentials platform1 and application1 on the site.cfg of mt tftp config folder.
Any inputs/suggestion is appreciated.
This problem stumped me for a while too. I'm running 5.7, and I needed to set the global ".set" parameter which is needed for updating any <device/> entry.
<device device.set="1"> <device.sec.... etc... /> </device>
This is also documented => here <= and I updated the above post adding the detail.
Polycom Global Services
I finally succeeded to add manually customer certificate onto the Platform CA through the configuration file.
The most important thing, you will need to activate the device.set="1"
The structure should be like that :
<?xml version="1.0" standalone="yes"?> <change device.set="1" device.sec.TLS.customCaCert1.set="1" device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- blabla-root CA -----END CERTIFICATE-----" device.sec.TLS.customCaCert2.set="1" device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE----- blabla-intermediate CA -----END CERTIFICATE-----"