• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
HP Recommended

I've been able to manually install a device certificate through the
Advanced->TLS menu area and specifying the URL of the device
certificate, but that's cumbersome for a large amount of phones.
 
In the example site.cfg file, I see the device.sec.TLS.customDeviceCert1.set
value to set a custom device cert, but when I manually add
device.sec.TLS.customDeviceCert1 and store the PEM encoded
certificate, the app.log file shows an error that
device.sec.TLS.customDeviceCert1 is an unknown parameter.
 
I've even tried storing the device certificate public key here:
sec.TLS.customDeviceCert.1 and the private key here:
sec.TLS.customDeviceKey.1  The parameters are accepted, but the
certificate still doesn't show up in Advanced->TLS->Custom device.
I've even turned on "Debug" level logging for TLS and Configuration,
and it shows no errors.
 
I've been able to store my custom CA certificate with no problem here:
device.sec.TLS.customCaCert1
and here:
sec.TLS.customCaCert.1

 

Does Polycom even support loading a device cert with config files?

 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

Steffen, we all know how to add CA certs to the phones with config files, and I've been able to manually add device certificates through the phone and the phone's website, but this doesn't work for large numbers of phones.  It has to be done with config files.

 

After 20+ hours of work, and figuring out UNDOCUMENTED settings that are NOWHERE to be found in the manual, here's my definitive guide to certificates on polycom phones with 4.x software.  I leave it up to the reader to decide which code snippets to use in their own config files, as it's highly site-dependent on how you want to implement encryption.

 

 

CA certificate for Platform CA1:

    <device.sec.TLS device.set="1"
        device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----"> 
      <device.sec.TLS.customCaCert1
           device.sec.TLS.customCaCert1.set="1"> 
      </device.sec.TLS.customCaCert1> 

 

 

CA certificate for Application CA1:

      <sec.TLS.customCaCert sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----"> 

 

 

Device certificate loaded as Platform1:

      <device.sec.TLS.customDeviceCert1 device.set="1" 
          device.sec.TLS.customDeviceCert1.publicCert="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----" 
          device.sec.TLS.customDeviceCert1.privateKey="-----BEGIN RSA PRIVATE KEY----- 
blah blah blah
-----END RSA PRIVATE KEY-----" 
          device.sec.TLS.customDeviceCert1.set="1"> 
      </device.sec.TLS.customDeviceCert1> 

 

 

Device certificate loaded as Application1:

    <sec.TLS.customDeviceCert 
        sec.TLS.customDeviceCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----">
    </sec.TLS.customDeviceCert> 
    <sec.TLS.customDeviceKey 
        sec.TLS.customDeviceKey.1="-----BEGIN RSA PRIVATE KEY-----
blah blah blah
-----END RSA PRIVATE KEY-----">
    </sec.TLS.customDeviceKey> 

 

View solution in original post

7 REPLIES 7
HP Recommended

I confess that I have already had the same question, but unfortunatly left unaswered by the Polycom reseller.

I would be very interested in this response.

Joao

HP Recommended

Hello all,

 

I actually load for example a LYNC Certificate like this (shortened):

 

<LYNCCert>
<corprootca sec.TLS.profileSelection.SIP="ApplicationProfile1" sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gJL3W9Ng9w5w9yDrpHtwfufG6UevQDcZj2NywtJ1OEu9MSos4dNyypDnI=
-----END CERTIFICATE-----" />
</LYNCCert>

 

Another Option in UCS 4.x.x is to actually load a certificate via the Web Interface onto the Phone,  Browse to Settings => Network => TLS:

 

certificate.png

 

Above shows my Phone that has already imported a Certificate. You can see in Platform CA 2 that I just specify a HTTP Hyperlink. This was used to enable SRTP for an Asterisk Server.

The Phone will then download the Certificate if Install is pressed.

Ticking the Box next to an installed Certificate will offer you the functionality to delete the existing certificate.

 

Once this is installed you can check the correct parameters when exporting the Phones configuration.

 

Any issues that a reseller cannot resolve should be logged by the reseller with Polycom Support.

 

Best Regards

 

Steffen Baier

 

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Steffen, we all know how to add CA certs to the phones with config files, and I've been able to manually add device certificates through the phone and the phone's website, but this doesn't work for large numbers of phones.  It has to be done with config files.

 

After 20+ hours of work, and figuring out UNDOCUMENTED settings that are NOWHERE to be found in the manual, here's my definitive guide to certificates on polycom phones with 4.x software.  I leave it up to the reader to decide which code snippets to use in their own config files, as it's highly site-dependent on how you want to implement encryption.

 

 

CA certificate for Platform CA1:

    <device.sec.TLS device.set="1"
        device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----"> 
      <device.sec.TLS.customCaCert1
           device.sec.TLS.customCaCert1.set="1"> 
      </device.sec.TLS.customCaCert1> 

 

 

CA certificate for Application CA1:

      <sec.TLS.customCaCert sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----"> 

 

 

Device certificate loaded as Platform1:

      <device.sec.TLS.customDeviceCert1 device.set="1" 
          device.sec.TLS.customDeviceCert1.publicCert="-----BEGIN CERTIFICATE----- 
blah blah blah
-----END CERTIFICATE-----" 
          device.sec.TLS.customDeviceCert1.privateKey="-----BEGIN RSA PRIVATE KEY----- 
blah blah blah
-----END RSA PRIVATE KEY-----" 
          device.sec.TLS.customDeviceCert1.set="1"> 
      </device.sec.TLS.customDeviceCert1> 

 

 

Device certificate loaded as Application1:

    <sec.TLS.customDeviceCert 
        sec.TLS.customDeviceCert.1="-----BEGIN CERTIFICATE-----
blah blah blah
-----END CERTIFICATE-----">
    </sec.TLS.customDeviceCert> 
    <sec.TLS.customDeviceKey 
        sec.TLS.customDeviceKey.1="-----BEGIN RSA PRIVATE KEY-----
blah blah blah
-----END RSA PRIVATE KEY-----">
    </sec.TLS.customDeviceKey> 

 

HP Recommended

Hello Everyone,

 

I am new here. I tried Dan1234's suggestion on how to install customdevice certificate using config files and somehow I could not get mine to install on a VVX500. I put it both as custom device credentials platform1 and application1 on the site.cfg of mt tftp config folder.

 

Any inputs/suggestion is appreciated.

 

Thanks.

TonyJ

HP Recommended

This problem stumped me for a while too.  I'm running 5.7, and I needed to set the global ".set" parameter which is needed for updating any <device/> entry.

 

<device device.set="1">
   <device.sec.... etc... />
</device>

 

HP Recommended

Hello all,

 

This is also documented => here <= and I updated the above post adding the detail.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Hello everybody,

 

I finally succeeded to add manually customer certificate onto the Platform CA through the configuration file.

 

The most important thing, you will need to activate the device.set="1"

 

The structure should be like that :

 

 

<?xml version="1.0" standalone="yes"?>

<change device.set="1"

		device.sec.TLS.customCaCert1.set="1"
		device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE-----
blabla-root CA
-----END CERTIFICATE-----"

device.sec.TLS.customCaCert2.set="1"
device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----
blabla-intermediate CA
-----END CERTIFICATE-----"

 

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.