Importing Certificates on Polycom SIP Phones

 

A recent blog article shows how to easily deploy a Polycom SIP Phone running UCS 4.1.0 firmware in a Lync environment, but in the event that the device is unable to successfully sign in to the Lync server then this is typically a TLS communications problem most often attributed to a certificate trust failure.

Lync Registration Failure

If registration of the device fails to the Lync Server the first thing to check is the device logs which are accessible through the phone’s built-in web management interface.

Check Device Logs

  • Open the web management interface by simply connecting to the IP address of the phone from in a web browser, provide the Admin password (default value is ‘456’) and browse to the Diagnostics > View & Download Logs menu.

000928.720|cfg  |4|00|Prov|Unknown suboption received for DHCP option 43
000928.720|cfg  |4|00|Prov|Invalid STS-URI: ‘http:///anon’
000930.280|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘sipinternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘sipinternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘sipexternal.mslync.net’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘sipexternal.polycomcsna.com’ found no records.
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.457|sip  |4|00|MakeTlsConnection: SSL_connect error 1
000930.457|sip  |4|00|MakeTlsConnection: connection failed error -1

The log excerpt above shows what happens when the device is unable to locate the Lync Server certificate provisioning service due to missing or incorrectly configured DHCP Option 43 values.

Check Certificate Store

  • To validate that the root certificate was not successfully downloaded press the physical Home button and then tap the following menu items: Settings > Advanced > Administration Settings > TLS Security > Custom CA Certificates and then scroll down to the bottom of the list to the Application CA 6 container.

image

  • To perform the same check using the web management interface instead browse to the Settings > Network > TLS menu and check that the Application CA 6 container is blank.

image

 

Import Root Certificate

In this scenario the device was not able to automatically download a root certificate and thus cannot establish a secure TLS connection to the Lync Server to begin the registration process.

In the event that this prerequisite configuration is not available or the phone is unable to successfully import the root certificate chain then the certificate(s) must be provided to the phone manually.  Understand that the automatic download process simply uses the last Application CA 6 container as it is the least commonly used container and should prevent conflicts when multiple cert chains are loaded into the device at one time.  When importing certificates manually any of the available Application CA containers can be used; the examples below will utilize Application CA 1.

There are two different processes available for manually providing a root certificate or chain of certificates to the device, either by importing an XML configuration file which contains the certificate hash(es) or by hosting a certificate file on a web server and simply pointing the device to the URL to import it.

XML Method

The approach is basically the same process as documented for the previous 4.0 release by using an XML configuration file, but the file will only contain the few parameters specific to the certificate and not all of the other parameters that used to be required for the older version.

  • Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

  • Create a new XML file as instructed in the previous article, but instead only include the following two parameters: “sec.TLS.customCaCert.1” and “sec.TLS.profileSelection.SIP”..  Save the file (e.g. cert.cfg).

<?xml version="1.0" encoding="utf-8"?>
<!–UCS 4.1 Lync Certificate Import File–>
<lync>
  <cert sec.TLS.customCaCert.1="" sec.TLS.profileSelection.SIP="ApplicationProfile1" />
</lync>

image_thumb[6]

If a different container is desired simply update the last digit in the sec.TLS.customCaCert.1 parameter to a value of 1 through 6 to coincide with one of the six Application CA containers.  In addition change the digit in the ApplicationProfile1 value for the second parameter to match.  For example, to store a certificate in container 3 update the configuration as shown below.  This approach may be needed to import a chain of multiple certificates in some environments.

image_thumb[10]

  • Using the web management interface browse to the Utilities > Import & Export Configuration menu and expand Import Configuration.

  • Click Choose File and then locate the XML configuration file created in the previous step (e.g. cert.cfg) and then select Import.

image

  • If performed correctly, and the user credentials are still stored in the phone then the device should automatically register to Lync within a matters of a few seconds.

Web Server Method

There is also an alternative approach to importing the certificates on the phone that doesn’t require using these XML configuration files as shown above.  Instead the certificate hash file(s) would be placed on a standard web server that the phone can connect to and then the certificate can be imported manually from the web management interface using a URL.  This process is simpler than dealing with the XML configuration file and provide a single distribution point for importing the certificate.

  • Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

  • Copy the newly created certificate text file (e.g. RootCA.cer) file to an accessible web server directory.  In this example the default root directory (wwwroot) for IIS on a Windows Server was used.  Typically a Lync Server itself cannot be used in this fashion as authentication is required for even HTTP connections to the server, so the default IIS installation on another Windows server was used which allowed for anonymous HTTP connections.

image_thumb66

  • Test anonymous HTTP access by connecting to the file’s URL (e.g. http://dc.schertz.local/RootCA.cer) using a web browser.  The contents of the plain text file should be displayed as shown in the following screenshot.

image_thumb62

  • Open the web management interface and browse to the Settings > Network > TLS menu.  Select the desired Application CA container and enter the same URL to the certificate file that was used in the previous step ((e.g. http://dc.schertz.local/RootCA.cer).

  • The Install button should activate once a properly formatted URL is entered.  Click Install and then device should report that the SSL certificate was successfully installed.  If the user credentials were already entered into the device and the Lync Base Profile previously selected then the phone will immediately attempt to register to the Lync Server.

image

If the certificate authority is multi-tiered, meaning there is a Root CA and one or more subordinate Issuing CA then the entire chain may need to imported into the phone, depending on which CA issued and signed the certificate that was used on the Lync Servers.  If loading only the root CA certificate into the device does not resolve the registration failure then try also loading any other CA certificates in the same chain.

Using the web server process previously shown multiple certificates can be imported into separate containers as depicted below.

image

About Jeff Schertz
Site Administrator

Comments

15 Responses to “Importing Certificates on Polycom SIP Phones”
  1. Eric Truax says:

    Is the 4.1 release GA yet. I can't seem to find it on support.polycom.com. I m trying to setup soundpoint IP 321 phone for testing in the lab.

    • jeffschertz says:

      Eric, as mentioned in the other articles the 4.1.0 Lync-only release for the SoundPoint phones can only be provided through your partner, it was not made available for public download. Future releases which support either Lync or Open SIP registration will be provided on the public download pages (like 4.1.2 for the VVX 500). The Lync-only releases are a limited release to prevent the massive amount of existing Open SIP deployments from unknowingly upgrading to a version that is only supported and tested for Lync registration.

  2. Vince Lance says:

    I am getting almost the same error except that I am getting this instead of connect error 1

    000027.708|sip |4|00|MakeTlsConnection: SSL_connect error 5
    000027.708|sip |4|00|MakeTlsConnection: connection failed error -1

    Do you have any idea what it means?

    • Glen Kösters says:

      Exact same problem here

      • Dave M says:

        I'm having the same issue as the gentlemen above. Exported my internal root CA from Lync FE server in Base64 format and imported it in my VVX500 web interface in Application CA 1. Seeing the same messages in diagnostic logging.

        0113014747|sip |4|00|MakeTlsConnection: SSL_connect error 5
        0113014747|sip |4|00|MakeTlsConnection: connection failed error -1

        • jeffschertz says:

          If you have more than 1 certificate in your root chain you should import all of them into separate slots in the phone.

  3. Magali Sourbes says:

    How do you import for a CX600 or CX500?

  4. Daniel says:

    I am unsuccessful at browsing to the phone's IP address.
    Can you provide instructions?
    I tried http, https.
    What am I missing?

    • jeffschertz says:

      It's as simple as entering the phone's IP address in a browser, and both HTTP and HTTP connections are supported, so you may have a network connectivity issue or bad firmware and/or phone.

      • David says:

        Sometimes if you have a very modern browser and very old phone firmware you can use compatibility mode to get the web page to show up or respond…

  5. TDN says:

    Hi,
    I get the following error in my SoundPoint IP 331 phone with Lync Server 2013. Users cannot register into Lync.

    0704112527|sip |4|03|CTcpSocket::TlsListenThread: SSL_get_error Error code=5
    0704112527|sip |4|03|TLS Listen Thread Exit
    0704112527|sip |5|03|Send SSL_get_error nLen -1 nError 5 = error:00000000:lib(0):func(0):reason(0)
    0704112633|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    My firmware details are as below.
    UC Software Version 4.1.1.0260
    BootROM Software Version 5.1.0.85063

    The problem is that this does not happen in the previous firmware (4.1.0.84959).

    Thanks in advance.

  6. WTS says:

    Hi Jeff

    I've been on this issue for a day or two now. Ever since we had to remove an expired digicert root cert this weekend and run the util to ensure all new root certs are added, we have had issues. Our CX3000's were simple enough to fix, running a hardreset removed the cached root cert chain and they now auto discover fine.
    The cx5500, new or old, or factory reset still have an issue. I have tried the steps above and imported the entire root chain manually and still receive the error below. We did not get the certificate issue you have above, but have always had the same error listed in our logs below. Any pointers would be great!
    0730181429|so |4|03|[soRegistrationC] Login Credentials valid causing SoRegEventLine Changed
    0730181429|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    0730181429|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    0730181430|sip |*|03|dhcpOption120LyncQuery
    0730181430|utilm|4|03|uBLFUnCompressed: File /data/polycom/ffs0/Config/Local/WebTicket/0/certProvSvc.mex doesn't exist or is empty
    0730181430|app1 |*|03|SoRegistrationEventLineChanged – success lineIndex 0 RegListSize 0
    0730181430|app1 |*|03|SoRegistrationEventLast – new AppRegLineC, Default user
    0730181430|tickt|5|03|soWebticketGetAllUserInfo: soWebTicketServersGet Failed
    0730181430|sip |*|03|Sip Register Usr:CX5500 Dsp:CX5500 Auth:'Using Login Cred' Inx:0

    Thanks in advance!

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!