• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
Locked

‎02-23-2024 06:34 AM - edited ‎10-16-2024 04:27 AM

HP Recommended

Do any Poly Phones support SCEP?

 

The following Poly Phones support SCEP (based on the latest software:

  • VVX running UC Software
  • CCX Phones
  • Edge E Phones
  • Poly Trio Phones

 Settings > SCEP > SCEP Settings

 

SteffenBaierUK_0-1728562855058.png

 

Example List of SCEP Server Vendors

  • Cisco ISE
  • Microsoft (NDES) Network Device Enrollment Service
  • OpenCA OpenSCEP
  • Meraki Ascertia
  • Nexus Certificate Manager cryptlib
  • jcep EJBCA
  • OpenTrust PKI Dogtag
  • wolfSSL CyaSSL
  • Miktrotik Sscep
  • XiPki
  • Open source CA
  • OCSP responder
  • OSGI-based 

 

SCEP Process FlowSCEP Process Flow

 

Settings > Network > TLS > Certificate Configuration > CA Certificates:

SteffenBaierUK_2-1708694708990.png

 

Settings > Network > TLS > Certificate Configuration > Device Certificates:

SteffenBaierUK_3-1708694743420.png

 

 Another good source can be found >here<
 

Configuration Enhancement:

Since UC Software 7.2.1 and later when using the SCEP.csr.commonName parameter with the default null setting,

<change SCEP.csr.commonName=""


The phone now automatically uses its Product Name and MAC address for the common name (CN) when it generates a CSR. Before this, it was a manual field that needed to be set on a per-device setting.

1016111919|scep |3|00|  Subject: /C=UK/ST=Greater VoiceWorld/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=CCX70064167FDFD123


Since PVOS 9.0.0 the phone now only uses its MAC address for the common name (CN) when it generates a CSR. Example a CCX will show in the logs:

1016111919|scep |3|00|  Subject: /C=UK/ST=Greater VoiceWorld/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=64167FDFD123

 

Another Field was added via:

SCEP.csr.organizationUnit

 

Troubleshooting:

SCEP Logging Example

<web log.render.level="0" log.level.change.scep="0"/>

Logs:

1024070742|so   |*|00|SCEP Feature is enabled
024070837|scep |*|00|Initial log entry. Current logging level 0
1024070837|scep |4|00|scepHandler started
1024070837|scep |4|00|StateTransistion NewState 1
1024070837|scep |5|00|displayScepWarningMsg  -1 
1024070837|scep |5|00|TranslateWarnMsg NOT handled: PkiStatus -1
1024070837|scep |1|00|StateTransistion from 0 to NewState : Init 
1024070837|scep |1|00|StateTransistion  to NewState : Init
1024070837|scep |0|00|ScepEventHandler Event 2
1024070837|scep |1|00|ScepEventHandler Event INITIALIZE
1024070837|scep |2|00|SCEP check  MissingCfg 
1024070837|scep |4|00|ScepInit::scepMsgQId 171 
1024070837|scep |0|00| ScepCurlInterface::createInstance  
1024070837|scep |2|00| ScepInit::onInit scep url : http://10.221.10.102/certsrv/mscep/mscep.dll 
1024070837|scep |2|00|URLwithHost = 10.221.10.102 s->scepServerUrl = http://10.221.10.102/certsrv/mscep/mscep.dll
1024070837|scep |2|00|----- URLwithHost = 10.221.10.102, scepData.scepServerUrl http://10.221.10.102/certsrv/mscep/mscep.dll
1024070837|scep |2|00|scepData.hostName = 10.221.10.102 scepData.scepURI = /certsrv/mscep/mscep.dll scepData.hostPort = 80, len = 20
1024070837|scep |4|00|ScepInit::onInit Device certificate not installed
1024070837|scep |5|00|scepCertValidity  read_cert failed with ret 93
1024070837|scep |5|00|scepExpiryDuration  read_cert failed with ret 93
1024070837|scep |5|00|scepCertValidFor validFor 0 
1024070837|scep |5|00|scepTime2Renewal validFor 0 RenewalThreshold 80
1024070837|scep |5|00|ScepInit::onInit cert RenewalDuration 0 seconds RenewalTrigger 0 seconds isDevCertNotAvailable 1 
1024070837|scep |0|00|ScepEventHandler Event 3
1024070837|scep |1|00|ScepEventHandler Event GETCA_RA
1024070837|scep |1|00|scepLIB: scep msg: /certsrv/mscep/mscep.dll?operation=GetCACaps&message=CACapsIdentifier 
1024070837|scep |2|00|scepLIB: Use CURL for HTTP(s) ? 0x56c820
1024070837|scep |0|00|ScepCurlInterface::CurlRequest 
1024070837|scep |0|00|ScepCurlInterface::CurlRequest m_bIsSecure: 0
1024070837|scep |0|00|[CurlRequest]configured values SCEPUsername:
1024070837|scep |0|00|[CurlRequest] concatURL url:http://10.221.10.102/certsrv/mscep/mscep.dll?operation=GetCACaps&message=CACapsIdentifier 
1024070837|scep |1|00|[connectToProxy] WPAD feature is disabled for mode '3'
1024070837|scep |3|00|[connectToProxy] Using DIRECT proxy for mode '3'
1024070837|scep |4|00|[CurlRequest] Proxy connect result '0'
1024070837|scep |0|00|[CurlRequest] hostPort:80
1024070837|scep |0|00|[CurlRequest]scephttpusername and scephttpuserpassword NOT configured
1024070837|scep |0|00|[CurlRequest]scephttpusername and scephttpuserpassword NOT configured
1024070837|scep |*|00|ScepCurlInterface::CurlRequest  Hostname  = 10.221.10.102 => dns addr = 10.221.10.102, 
1024070837|scep |1|00|CURLINFO   : About to connect() to 10.221.10.102 port 80 (#0)
1024070837|scep |1|00|CURLINFO   :   Trying 10.221.10.102... 
1024070837|scep |1|00|CURLINFO   : Connected to 10.221.10.102 (10.221.10.102) port 80 (#0)
1024070837|scep |1|00|HEADER_OUT : GET /certsrv/mscep/mscep.dll?operation=GetCACaps&message=CACapsIdentifier  HTTP/1.1
1024070837|ssps |4|00|sspsPktChanTxAddMRHubData: actual time newer than estimated time by 20822192ns (limit 20000000ns). Assuming discontinuity and correcting MessagesMissed:1
1024070837|scep |1|00|HEADER_IN  : HTTP/1.1 200 OK
1024070837|scep |1|00|HEADER_IN  : Content-Type: text/plain
1024070837|scep |1|00|HEADER_IN  : Server: Microsoft-IIS/8.5
1024070837|scep |1|00|HEADER_IN  : X-Powered-By: ASP.NET
1024070837|scep |1|00|HEADER_IN  : Date: Wed, 24 Oct 2018 14:08:31 GMT
1024070837|scep |1|00|HEADER_IN  : Content-Length: 34
1024070837|scep |1|00|HEADER_IN  : 
1024070837|scep |1|00|CURLINFO   : Connection #0 to host 10.221.10.102 left intact
1024070837|scep |4|00|ScepCurlInterface:: connection successful with scep server : 10.221.10.102
1024070837|scep |0|00|ScepCurlInterface::CurlRequest result 0 httpResCode 200
1024070837|scep |1|00|CURLINFO   : Closing connection #0
1024070837|scep |4|00|ScepCurlInterface::CurlRequest success  result 0 httpResCode 200
1024070837|scep |1|00|scepLIB: valid response from server
1024070837|scep |5|00| ScepState::onGetCACaps complete PkiStatus0
1024070837|scep |1|00|scepCACertData.caCertFile /data/polycom/ffs0/scepcafile
1024070837|scep |0|00|scepLIB: SCEP_OPERATION_GETCA dflag 0
1024070837|scep |0|00|scepLIB: scep msg: /certsrv/mscep/mscep.dll?operation=GetCACert&message=CAIdentifier 
1024070837|scep |2|00|scepLIB: Use CURL for HTTP(s) ? 0x56c820
1024070837|scep |0|00|ScepCurlInterface::CurlRequest 
1024070837|scep |0|00|ScepCurlInterface::CurlRequest m_bIsSecure: 0
1024070837|scep |0|00|[CurlRequest]configured values SCEPUsername:
1024070837|scep |0|00|[CurlRequest] concatURL url:http://10.221.10.102/certsrv/mscep/mscep.dll?operation=GetCACert&message=CAIdentifier 
1024070837|scep |1|00|[connectToProxy] WPAD feature is disabled for mode '3'
1024070837|scep |3|00|[connectToProxy] Using DIRECT proxy for mode '3'
1024070837|scep |4|00|[CurlRequest] Proxy connect result '0'
1024070837|scep |0|00|[CurlRequest] hostPort:80
1024070837|scep |0|00|[CurlRequest]scephttpusername and scephttpuserpassword NOT configured
1024070837|scep |0|00|[CurlRequest]scephttpusername and scephttpuserpassword NOT configured
1024070837|scep |1|00|CURLINFO   : About to connect() to 10.221.10.102 port 80 (#0)
1024070837|scep |1|00|CURLINFO   :   Trying 10.221.10.102... 
1024070838|scep |1|00|CURLINFO   : connected after 1 seconds
1024070838|scep |1|00|CURLINFO   : Connected to 10.221.10.102 (10.221.10.102) port 80 (#0)
1024070838|scep |1|00|HEADER_OUT : GET /certsrv/mscep/mscep.dll?operation=GetCACert&message=CAIdentifier  HTTP/1.1
1024070838|scep |1|00|HEADER_IN  : HTTP/1.1 200 OK
1024070838|scep |1|00|HEADER_IN  : Content-Type: application/x-x509-ca-ra-cert
1024070838|scep |1|00|HEADER_IN  : Server: Microsoft-IIS/8.5
1024070838|scep |1|00|HEADER_IN  : X-Powered-By: ASP.NET
1024070838|scep |1|00|HEADER_IN  : Date: Wed, 24 Oct 2018 14:08:31 GMT
1024070838|scep |1|00|HEADER_IN  : Content-Length: 3816
1024070838|scep |1|00|HEADER_IN  : 
1024070838|scep |1|00|CURLINFO   : Connection #0 to host 10.221.10.102 left intact
1024070838|scep |0|00|ScepCurlInterface::CurlRequest result 0 httpResCode 200
1024070838|scep |1|00|CURLINFO   : Closing connection #0
1024070838|scep |4|00|ScepCurlInterface::CurlRequest success  result 0 httpResCode 200
1024070838|scep |2|00|scepLIB: valid response from server
1024070838|scep |2|00|scepLIB: certificate written as /data/polycom/ffs0/scepcafile0.crt
1024070838|scep |2|00|scepLIB: certificate written as /data/polycom/ffs0/scepcafile1.crt
1024070838|scep |2|00|scepLIB: certificate written as /data/polycom/ffs0/scepcafile.crt
1024070838|scep |2|00|scepLIB: write_ca_ra scep - success
1024070838|scep |4|00| ScepInit::onGetCA complete PkiStatus0
1024070838|scep |0|00|ScepEventHandler Event 4
1024070838|scep |1|00|ScepEventHandler Event GETCA_RA_SUCCESS
1024070838|scep |4|00|ScepInit::onGetCASuccess SCEP Enrollment start
1024070838|scep |0|00|scepCertInstall CA /data/polycom/ffs0/scepcafile.crt

 

How can I add an 802.1x EAP-PEAPv0/MSCHAPv2 Certificate or use Dot.1x?

 

Do Poly phones support Windows SCEP Network Device Enrollment Service certificate provisioning?

 

A Poly Employee provides step-by-step instructions how to set this up > here <, > here < and > here <

Log on to http://<IP or FQDN>/certsrv/mscep_admin and get the enrolment challenge password

 
SteffenBaierUK_5-1708695090932.png

 

On a compatible Poly Phone navigate to Settings > SCEP > SCEP Settings

SteffenBaierUK_6-1708695140722.png

 

  • SCEP URL would be http://<IP or FQDN>/certsrv/mscep/mscep.dll

  • CA Fingerprint is taken from Root CA via http://<IP or FQDN>/certsrv/certcarc.asp > Download a CA certificate > Download CA certificate > Open File > Details > Thumbprint 

    SteffenBaierUK_7-1708695171563.png

     

  • Copy the Fingerprint and use for Example Notepad++ to remove the spaces and change to capital characters

    SteffenBaierUK_8-1708695200070.png

     

  • Challenge Password is from http://<IP or FQDN>/certsrv/mscep_admin as outlined above aka EFF11A9C832952AC
  • Common Name, Organization, Email Address, State, and Country must be supplied or the SCEP process does not start
------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.