I am trying to change from FTP Provisioning to FTPS provisioning. Goal is to implement a secure provisioning environment without any manuel configuration on the Soundpoint.
When using own certificates, then I did not find an automatic way of downloading the root ca to this phone. There are ways to do that for the Lync phones using option 43, but I did not find anything for the Soundpoint 331.
As a test, I wanted to use a certificate that has been issued by one of the CAs that are stored in the phone per factory default. However I learned that it is not possible to get a certificate from one of those, that is issued for an internal fqdn (like server01.domain.local), nor a certificate for a private IP (at least symantec states that).
My questions are: Is there any way to upload automatically a root ca to the phone using DHCP Options, like for LYNC Phones ? Does anyone know a way to get my (my customers goal) accomplished ?
If you get a certificate issued by an authority that already has the root CA/chain in the phone, then you won't need to load a root CA. eg our provisioning server's certificate is issued by Entrust, and no manual intervention is required, we are able to use option 66 in DHCP to point the phones at our HTTPS provisioning server.
Alternatively you can "preprovision" the phones over FTP/HTTP, with a config file that disables certificate validation, before switching them to HTTPS/FTPS. It's not as secure, since someone could muck with DNS and redirect your phones to a fake server with a fake cert, however the connection with your valid server will still be encrypted.