Polycom 1725-31424-001 ユーザーズマニュアル
Deployment Guide Polycom CX700
48
Making the Root CA Certificate Available to a Polycom
CX700 Phone
CX700 Phone
Communication between the Polycom CX700 phone and Microsoft Office
Communications Server 2007 R2 is by default encrypted using TLS and SRTP.
Therefore, the device needs to trust certificates presented by Microsoft Office
Communications Server 2007 R2 servers. If the servers use public certificates,
they will most like be automatically trusted by the phone, since it contains the
same list of trusted certificate authorities (CAs) as Windows CE. However,
since most Microsoft Office Communications Server 2007 R2 deployments use
internal certificates for the internal Microsoft Office Communications Server
2007 R2 server roles, there is a need to install the Root CA certificate from the
internal CA to the phone. It is not possible to manually install the Root CA
certificate on the phone, so it needs to come via the network.
The Polycom CX700 phone is able to download the certificate using two
methods:
Therefore, the device needs to trust certificates presented by Microsoft Office
Communications Server 2007 R2 servers. If the servers use public certificates,
they will most like be automatically trusted by the phone, since it contains the
same list of trusted certificate authorities (CAs) as Windows CE. However,
since most Microsoft Office Communications Server 2007 R2 deployments use
internal certificates for the internal Microsoft Office Communications Server
2007 R2 server roles, there is a need to install the Root CA certificate from the
internal CA to the phone. It is not possible to manually install the Root CA
certificate on the phone, so it needs to come via the network.
The Polycom CX700 phone is able to download the certificate using two
methods:
• The device will search for AD objects of category certificationAuthority. If
the search returns any objects, it will use the attribute caCertificate. That
attribute is assumed to hold the certificate and the device will install the
certificate. To get the Root CA certificate placed in the caCertificate
attribute, use the command certutil -f -dspublish <Root CA certificate in
.cer file> RootCA. This command will publish the certificate as required by
Polycom CX700 phone.
certificate. To get the Root CA certificate placed in the caCertificate
attribute, use the command certutil -f -dspublish <Root CA certificate in
.cer file> RootCA. This command will publish the certificate as required by
Polycom CX700 phone.
• If the search for AD objects of category certificationAuthority does not
return any or if the objects have empty caCertificate attributes, the phone
will search for AD objects of category pKIEnrollmentService in the
configuration naming context. Such objects exists if Certificate
AutoEnrollment has been enabled in Active Directory. If the search
returns any objects, it will use the dNSHostName attribute returned to
reference the CA and it will then use the Web interface of the Microsoft
will search for AD objects of category pKIEnrollmentService in the
configuration naming context. Such objects exists if Certificate
AutoEnrollment has been enabled in Active Directory. If the search
returns any objects, it will use the dNSHostName attribute returned to
reference the CA and it will then use the Web interface of the Microsoft
Certificates Service to retrieve the Root CA certificate using the HTTP GET
command
command
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewa
l=-1&Enc=b64
l=-1&Enc=b64
.
If neither of these methods succeeds, the error message “Cannot validate
server certificate” appears on the screen and the user will not be able to use the
phone.
phone.