• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Hi Support,

 

I'd be grateful if someone could help me to answer SSL root CA questions below. I know there are multiple SSL cert posts and I tried to read them all, but I didn't find answer to these questions.

 

We are using latest version of Polycom UCS 5.4.1 firmware on Polycom VVX201 and VVX300. We're trying to provision it using HTTPS with Starfield Tech Root CA G2 on the provisioning server. But we're having issues with phone not connecting to the provisioning server (checking the server log).

 

When I check the phone log I get the usual SSL errors:

SSL_connect error Peer certificate cannot be authenticated with known CA certificates. SSL certificate problem, verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

I checked the Polycom Trusted Certificate Authority List to make sure that our CA Starfield Tech root CA G2 is on the list and I can see it was added last year to firmware version 5.3.0. So in theory this should work just fine.

http://supportdocs.polycom.com/PolycomService/support/global/documents/support/technical/products/vo...

 

We didn't want to start uploading our own custom Root CA certificates onto the phone as we need to deploy 200+ phones and this is not feasible.

 

My questions are will the Polycom phone on firmware version 5.4.1 trust/support:
1.  multiple wildcards in the CN - e.g. *.*.domain.com
2.  wildcards not in the first fragment in the CN e.g. subdomain.*.domain.com
3.  The same questions 1 & 2 for the SANs (Subject Alternative Names)

4. Can you confirm the thumbprint of the starfield root CA that's installed by Polycom out of the box?

The one we can see on Starfield root CA is Fingerprint=2C:E1:CB:0B:F9:D2:F9:E1:02:99:3F:BE:21:51:52:C3:B2:DD:0C:AB:DE:1C:68:E5:31:9B:83:91:54:DB:B7:F5

I wonder if that matches what Polycom added as well.

 

Thanks,

 

Patrik

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

Hello Patrik,

welcome to the Polycom Community.

Have a look at this new VoIP FAQ post here:

Mar 04, 2016 Question:Do Polycom phones support wildcard certificates?

Resolution: Please check this post => here <=

 

Once you verified that you allow wildcard certificates for provisioning please lower the CURL logging level so you can see the issue.

 

Please also ensure the phone has the correct time and date via NTP

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

View solution in original post

2 REPLIES 2
HP Recommended

Hello Patrik,

welcome to the Polycom Community.

Have a look at this new VoIP FAQ post here:

Mar 04, 2016 Question:Do Polycom phones support wildcard certificates?

Resolution: Please check this post => here <=

 

Once you verified that you allow wildcard certificates for provisioning please lower the CURL logging level so you can see the issue.

 

Please also ensure the phone has the correct time and date via NTP

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Hi,

 

Thank you for your post about the Wildcard certificates.

 

We found the issue to be with our Starfield root CA not putting us on G2 but on G1. Only G2 is accepted by Polycom, once changed it all worked a treat.

 

Thanks again,

 

Patrik

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.