Plantronics + Polycom. Now together as Poly Logo

missing root CA certificate: Identrust (DST Root CA X3)

Occasional Advisor

missing root CA certificate: Identrust (DST Root CA X3)

 

Could you please add the Identrust root CA "DST Root CA X3" to the next firmware updates?

 

https://www.identrust.com/certificates/trustid/root-download-x3.html

 

This root is being used to cross-sign the Let's Encrypt certificates that many people are now using:

https://letsencrypt.org/certificates/

 

Full details from this root:

 

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3

Message 1 of 8
7 REPLIES 7
Polycom Employee & Community Manager

Re: missing root CA certificate: Identrust (DST Root CA X3)

Hello pocock,

This is not how this works.


The community's VoIP FAQ contains this post here:

Jan 03, 2013 Question: How can I request a change to the current Polycom SIP / UCS Software?

Resolution: Please check => here <=

 

You need a feature request.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 2 of 8
Occasional Advisor

Re: missing root CA certificate: Identrust (DST Root CA X3)

pocock,

 

You can issue a PGS ticket as a "request", however, they may not have more information about this. My suggestion is to add the certificate yourself to the phone.  You can automate this with centralized provisioning practices, or by installing the CA certificate manually from the phone or phone webserver.  There are additional resources regarding Polycom and Certificate management that are helpful (see references below).

 

From a centralized provisioning perspective, you can set device.sec.TLS.customCaCert1 - The admin guides go over this in much detail, there are multiple configs you can add to get exactly what you need done.

 

As a side note, some Polycom SPIP & SSIP models (spip 300,301,320/330,430,500,501,600,601, SSIP 4000) will not have the capability of establishing a secure connection to a server with SHA256 signed certificates (This is what Let's Encrypt uses).

 

SPIP 321/331,335,450,550,560,650,670 and SSIP 5000/6000/7000 may have their firmware upgraded to at least 4.0.7 or higher to gain SHA256 support.  

 

Polycom VVX models are not impacted.

 

 

References

 * SHA1 Deprecation Impacts

 * Polycom Certificate Updates for Polycom UC Software 4.0.9

 * Polycom Certificate Updates for Polycom® UC Software 5.4.0

 * Polycom Device Certificates on Polycom® Phones

 * Additional SPIP/SSIP/VVX Documentation and Firmware

 

 

 

 

Message 3 of 8
Occasional Advisor

Re: missing root CA certificate: Identrust (DST Root CA X3)

 

Hi Steffen,

 

Thanks for your reply

 

For something like this it is probably a good idea to just go ahead and get it into the firmware, waiting for people to go through the bureaucracy of contacting resellers may only mean waiting longer for it to be resolved.  Being a SIP software developer myself, I can say with some confidence that the time taken communicating through these steps would appear to be disproportionate to the effort it takes for a developer to simply add the root certificate.

 

I have tested installing the certificate manually and it works

 

Regards,

 

Daniel

Message 4 of 8
Polycom Employee & Community Manager

Re: missing root CA certificate: Identrust (DST Root CA X3)

Hello Daniel,

this is a very good idea in an ideal world but you are only seeing this from your side.

 

The list of enhancements is so long, something like this asked by one user only is at the very bottom of this.

 

If you really think you need this I can only ask you to go through via the official channel.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 5 of 8
Polycom Employee & Community Manager

Re: missing root CA certificate: Identrust (DST Root CA X3)

Hello Daniel,

 

please watch out for VOIP-122131 in future release notes.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 6 of 8
Occasional Visitor

Re: missing root CA certificate: Identrust (DST Root CA X3)

Was this ever added? I can't find the list of supported Certificate Authorities for v5.8.0, only 5.7.0.

 

Also, the inability to disable CA checking entirely is a big problem, since wildcard certificates are *also* not supported.

 

There's three ways to get configuration pushed with encryption on multi-tenant deployments, and all of them don't work.

 

1) Use Let's Encrypt certificates for each deployment

 

2) Disable CA validtion entirely

 

3) Support wildcard certificates.

 

Since *none* of these methods are supported, it means we have to send configuration information across the internet without encryption, in 2018. That's *really* bad.

 

The lack of full support for wildcard certificates is also a big issue. This means we have to issue individual certificates for every instance, and keep them updated. The FAQ still states that wildcard certificates are "partly" working after disabling all common name checks, but it's explicitly states that they are neither supported or tested.

 

 

Message 7 of 8
Polycom Employee & Community Manager

Re: missing root CA certificate: Identrust (DST Root CA X3)

Hello @humanism,

 

welcome to the Polycom Community.


The DST Root CA X3 was added in the following software version:

 

  1. UC Software 4.0.12 or later
  2. UC Software 4.1.9 or later
  3. UC Software 5.2.6 or later
  4. UC Software 5.3.4 or later
  5. UC Software 5.4.7 or later

This is also part of the 5.8.0 release

 

DST Root CA X3 2048 bit sha1WithRSAEncryption Sep 30 21:12:19 2000 GMT Sep 30 14:01:15 2021 GMT


If you are missing a certain feature or ability please work with a Polycom sales engineer or a Polycom reseller.

 

This requires a business case etc. and is all explained here:

 

Jan 03, 2013 Question: How can I request a change to the current Polycom SIP / UC Software?

Resolution: Please check => here <=


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services




<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.
Message 8 of 8