Plantronics + Polycom. Now together as Poly Logo

failing to install Platform Certificate 1 (device certificate)

pocock
Occasional Advisor

failing to install Platform Certificate 1 (device certificate)

 

I've got three Soundpoint IP560 phones.

 

I created a script to create custom device certificates for them.

 

I successfully installed the certificates in two of the phones.

 

In the third phone, I get an error.

 

I create the certificates using RSA, 2048 bits, SHA256 (I also tried SHA1).

 

I put the CN=(MAC address) for each certificate, just like factory installed certificates.

 

For EKU, I enable TLS Server and TLS Client

 

All certificates are identical except for the MAC address.

 

I go into the web admin for each phone and give it the URL of the server with the certificate.  In the web server log, I see that the phone is retreiving the certificate and the HTTP response code is 200.

 

A popup message appears in web admin:

 

     Information

 

     Invalid certificate download request.

 

I looked in the diagnostic log for the phone and observed the following:

 

175339.992|tls |4|03|Device credential invalid: Device credentials not proper in the certificate

 

Here are more details about the phone:

 

000016.462|so |*|03|Platform: Model=SoundPoint IP 560, Assembly=2345-12560-001 Rev=A Region=
000016.462|so |*|03|Platform: Interface eth0 MAC=0004f2......
000016.462|so |*|03|Platform: BootBlock=3.0.2.0024 (12560-001) 30-Nov-10 15:01
000016.462|so |*|03|Platform: Updater=5.1.1.0132 13-Jul-15 18:16
000016.462|so |*|03|Application, main: Label=SIP, Version=PrairieDog 4.1.1.0731 19-Jul-15 19:59
000016.462|so |*|03|Application, main: P/N=3150-11530-411

 

 

What does this error mean?

 

Is there anything else I should check?

 

I tried regenerating the keypairs and certificates several times and it always works for two of the phones and always fails for the third phone.

 

 

Message 1 of 4
3 REPLIES 3
SteffenBaierUK
Polycom Employee & Community Manager

Re: failing to install Platform Certificate 1 (device certificate)

Hello pocock,

as you are already on a UC Software 4.x.x build you can simply export the working phones configuration and check these against each other.

 

Btw. UC Software 4.1.1 is for LYNC only and not for SIP just in case you using them for SIP. The correct software for these is 4.0.11

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 4
pocock
Occasional Advisor

Re: failing to install Platform Certificate 1 (device certificate)

 

I completely reset all three phones to factory defaults and formatted the filesystems before I started trying to install the certificates, so they should all be in an identical state, shouldn't they?

 

What method do you suggest I use to extract the runtime confirmation for comparison?

 

 

I will try changing them all to 4.0.11, thanks for pointing this out.  Even so, I don't think that is related to this problem, this problem only concerns client certificate installation.

 

 Have you seen any fault in any other phone that prevents it accepting a client certificate like this?

Message 3 of 4
SteffenBaierUK
Polycom Employee & Community Manager

Re: failing to install Platform Certificate 1 (device certificate)

Hello pocock,

I have not seen any issue but my free "support" in here only goes so far.

 

I suggest you test this and lower the TLS logging and see if you can spot anything and then simply open a ticket.


In order to raise a support ticket you need to work with your Polycom reseller as they need to do this for you. In case this is some sort of an Internet discounter please post your phone's MAC address so I can look up who would be able to support you.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 4