Plantronics + Polycom. Now together as Poly Logo

How install custom device certificate with config files using 4.01B?

SOLVED
Occasional Contributor

How install custom device certificate with config files using 4.01B?

I've been able to manually install a device certificate through the
Advanced->TLS menu area and specifying the URL of the device
certificate, but that's cumbersome for a large amount of phones.
 
In the example site.cfg file, I see the device.sec.TLS.customDeviceCert1.set
value to set a custom device cert, but when I manually add
device.sec.TLS.customDeviceCert1 and store the PEM encoded
certificate, the app.log file shows an error that
device.sec.TLS.customDeviceCert1 is an unknown parameter.
 
I've even tried storing the device certificate public key here:
sec.TLS.customDeviceCert.1 and the private key here:
sec.TLS.customDeviceKey.1  The parameters are accepted, but the
certificate still doesn't show up in Advanced->TLS->Custom device.
I've even turned on "Debug" level logging for TLS and Configuration,
and it shows no errors.
 
I've been able to store my custom CA certificate with no problem here:
device.sec.TLS.customCaCert1
and here:
sec.TLS.customCaCert.1

 

Does Polycom even support loading a device cert with config files?

 

Message 1 of 8
7 REPLIES 7
Highlighted
Occasional Contributor

Re: How install custom device certificate with config files using 4.01B?

I confess that I have already had the same question, but unfortunatly left unaswered by the Polycom reseller.

I would be very interested in this response.

Joao

Message 2 of 8
Polycom Employee & Community Manager

Re: How install custom device certificate with config files using 4.01B?

Hello all,

 

I actually load for example a LYNC Certificate like this (shortened):

 

<LYNCCert>
<corprootca sec.TLS.profileSelection.SIP="ApplicationProfile1" sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gJL3W9Ng9w5w9yDrpHtwfufG6UevQDcZj2NywtJ1OEu9MSos4dNyypDnI=
-----END CERTIFICATE-----" />
</LYNCCert>

 

Another Option in UCS 4.x.x is to actually load a certificate via the Web Interface onto the Phone,  Browse to Settings => Network => TLS:

 

certificate.png

 

Above shows my Phone that has already imported a Certificate. You can see in Platform CA 2 that I just specify a HTTP Hyperlink. This was used to enable SRTP for an Asterisk Server.

The Phone will then download the Certificate if Install is pressed.

Ticking the Box next to an installed Certificate will offer you the functionality to delete the existing certificate.

 

Once this is installed you can check the correct parameters when exporting the Phones configuration.

 

Any issues that a reseller cannot resolve should be logged by the reseller with Polycom Support.

 

Best Regards

 

Steffen Baier

 

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 3 of 8
Occasional Contributor

Re: How install custom device certificate with config files using 4.01B?

Steffen, we all know how to add CA certs to the phones with config files, and I've been able to manually add device certificates through the phone and the phone's website, but this doesn't work for large numbers of phones.  It has to be done with config files.

 

After 20+ hours of work, and figuring out UNDOCUMENTED settings that are NOWHERE to be found in the manual, here's my definitive guide to certificates on polycom phones with 4.x software.  I leave it up to the reader to decide which code snippets to use in their own config files, as it's highly site-dependent on how you want to implement encryption.

 

 

CA certificate for Platform CA1:

    <device.sec.TLS device.set="1"
        device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----"> 
      <device.sec.TLS.customCaCert1
           device.sec.TLS.customCaCert1.set="1"> 
      </device.sec.TLS.customCaCert1> 

 

 

CA certificate for Application CA1:

      <sec.TLS.customCaCert sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----"> 

 

 

Device certificate loaded as Platform1:

      <device.sec.TLS.customDeviceCert1 device.set="1" 
          device.sec.TLS.customDeviceCert1.publicCert="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----" 
          device.sec.TLS.customDeviceCert1.privateKey="-----BEGIN RSA PRIVATE KEY----- 
blah blah blah
-----END RSA PRIVATE KEY-----" 
          device.sec.TLS.customDeviceCert1.set="1"> 
      </device.sec.TLS.customDeviceCert1> 

 

 

Device certificate loaded as Application1:

    <sec.TLS.customDeviceCert 
        sec.TLS.customDeviceCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----">
    </sec.TLS.customDeviceCert> 
    <sec.TLS.customDeviceKey 
        sec.TLS.customDeviceKey.1="-----BEGIN RSA PRIVATE KEY-----
blah blah blah
-----END RSA PRIVATE KEY-----">
    </sec.TLS.customDeviceKey> 

 

Message 4 of 8
Occasional Advisor

Re: How install custom device certificate with config files using 4.01B?

Hello Everyone,

 

I am new here. I tried Dan1234's suggestion on how to install customdevice certificate using config files and somehow I could not get mine to install on a VVX500. I put it both as custom device credentials platform1 and application1 on the site.cfg of mt tftp config folder.

 

Any inputs/suggestion is appreciated.

 

Thanks.

TonyJ

Message 5 of 8
Occasional Visitor

Re: How install custom device certificate with config files using 4.01B?

This problem stumped me for a while too.  I'm running 5.7, and I needed to set the global ".set" parameter which is needed for updating any <device/> entry.

 

<device device.set="1">
   <device.sec.... etc... />
</device>

 

Message 6 of 8
Polycom Employee & Community Manager

Re: How install custom device certificate with config files using 4.01B?

Hello all,

 

This is also documented => here <= and I updated the above post adding the detail.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 7 of 8
Occasional Visitor

Re: How install custom device certificate with config files using 4.01B?

Hello everybody,

 

I finally succeeded to add manually customer certificate onto the Platform CA through the configuration file.

 

The most important thing, you will need to activate the device.set="1"

 

The structure should be like that :

 

 

<?xml version="1.0" standalone="yes"?>

<change device.set="1"

		device.sec.TLS.customCaCert1.set="1"
		device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE-----
blabla-root CA
-----END CERTIFICATE-----"

device.sec.TLS.customCaCert2.set="1"
device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----
blabla-intermediate CA
-----END CERTIFICATE-----"

 

Message 8 of 8