Plantronics + Polycom. Now together as Poly Logo

Phone certificates

SOLVED
Highlighted
Valued Contributor

Phone certificates

Hi

 

Is there a way to check or extract a phones root certificate at all?  We are getting a large number of phones that are failing SSL/TLS handshakes with the provisioning server and wanted to check if there is any way to validate the certificates on the phone?

 

Is the phones certificate the same as when you log into the web browser or does it use more than one certificate?

 

Any help with this would be really appreciated.  Phones are multiple models of VVX's UC Software Version 4.1.5.3284 BootROM Software Version 5.1.5.3810

 

Sample log:

 

143: 2014-01-31 14:28:53:  
|4|00|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
144: 2014-01-31 14:28:53:   
|*|00|Prov|Starting to update 4.1.5.sip.ld
145: 2014-01-31 14:28:54:  
|4|00|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
146: 2014-01-31 14:28:55:   
|4|00|Prov|Some configuration files could not be obtained, reverting to previous config
149: 2014-01-31 14:28:57:  
|4|00|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
150: 2014-01-31 14:28:57:  
|4|00|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
151: 2014-01-31 14:28:57:   
|4|00|Prov|Not setting device parameters since configuration was not updated.

 

Cheers

 

Dave

Message 1 of 6
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Polycom Employee & Community Manager

Re: Phone certificates

Hello Dave,

The phone trusts a whole lot of certificate authorities by default. These are detailed in the Trusted Certificate Authority List within the matching Admin Guide.

 

In addition Polycom provides a Certificate that can be placed on a server.

 

This X.509 digital certificate is signed by the Polycom Root CA and may be used by a server to authenticate the phone when initiating Transport Layer Security (TLS) communications such as those used for HTTPS provisioning and TLS SIP signaling encryption.

 

The Polycom Root CA can be downloaded from http://pki.polycom.com/pki. The X.509 digital certificates are set to expire on March 9, 2044.

 

You can also import a certificate into the phone. For more details please check the Technical Bulletin 52609 which can be found in the Feature Descriptions & Technical Notifications Section on the Polycom Web Site.

 

Once a certificate has been imported you can export the configuration to check this. There is no way to export any other built in certificates.

 

For more details please work with your Polycom sales engineer.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 2 of 6
5 REPLIES 5
Highlighted
Polycom Employee & Community Manager

Re: Phone certificates

Hello Dave,

The phone trusts a whole lot of certificate authorities by default. These are detailed in the Trusted Certificate Authority List within the matching Admin Guide.

 

In addition Polycom provides a Certificate that can be placed on a server.

 

This X.509 digital certificate is signed by the Polycom Root CA and may be used by a server to authenticate the phone when initiating Transport Layer Security (TLS) communications such as those used for HTTPS provisioning and TLS SIP signaling encryption.

 

The Polycom Root CA can be downloaded from http://pki.polycom.com/pki. The X.509 digital certificates are set to expire on March 9, 2044.

 

You can also import a certificate into the phone. For more details please check the Technical Bulletin 52609 which can be found in the Feature Descriptions & Technical Notifications Section on the Polycom Web Site.

 

Once a certificate has been imported you can export the configuration to check this. There is no way to export any other built in certificates.

 

For more details please work with your Polycom sales engineer.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

View solution in original post

Message 2 of 6
Highlighted
Valued Contributor

Re: Phone certificates

Thanks for all the help Steffen

Message 3 of 6
Highlighted
Occasional Visitor

Re: Phone certificates

The link to your certificates is broken.  Can you provide the new location?

Message 4 of 6
Highlighted
Polycom Employee & Community Manager

Re: Phone certificates

Hello @rnaimon ,

 

welcome to the Poly Community.

 

The link without the "." at the end should work

 

http://pki.polycom.com/pki

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 5 of 6
Highlighted
Occasional Visitor

Re: Phone certificates

It is still giving me a 404 error.
Message 6 of 6