• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Hello,

I am trying to change from FTP Provisioning to FTPS provisioning. Goal is to implement a secure provisioning environment without any manuel configuration on the Soundpoint.

When using own certificates, then I did not find an automatic way of downloading the root ca to this phone. There are ways to do that for the Lync phones using option 43, but I did not find anything for the Soundpoint 331.

As a test, I wanted to use a certificate that has been issued by one of the CAs that are stored in the phone per factory default. However I learned that it is not possible to get a certificate from one of those, that is issued for an internal fqdn (like server01.domain.local), nor a certificate for a private IP (at least symantec states that).

My questions are:
Is there any way to upload automatically a root ca to the phone using DHCP Options, like for LYNC Phones ?
Does anyone know a way to get my (my customers goal) accomplished ?

 

Thanks in advance

1 REPLY 1
HP Recommended

 

Hi Daniel,

 

If you get a certificate issued by an authority that already has the root CA/chain in the phone, then you won't need to load a root CA. eg our provisioning server's certificate is issued by Entrust, and no manual intervention is required, we are able to use option 66 in DHCP to point the phones at our HTTPS provisioning server.

 

Alternatively you can "preprovision" the phones over FTP/HTTP, with a config file that disables certificate validation, before switching them to HTTPS/FTPS. It's not as secure, since someone could muck with DNS and redirect your phones to a fake server with a fake cert, however the connection with your valid server will still be encrypted.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.