Importing Certificates on Polycom SIP Phones

November 5, 2012 by · 27 Comments 


A recent blog article shows how to easily deploy a Polycom SIP Phone running UCS 4.1.0 firmware in a Lync environment, but in the event that the device is unable to successfully sign in to the Lync server then this is typically a TLS communications problem most often attributed to a certificate trust failure.

Lync Registration Failure

If registration of the device fails to the Lync Server the first thing to check is the device logs which are accessible through the phone’s built-in web management interface.

Check Device Logs

  • Open the web management interface by simply connecting to the IP address of the phone from in a web browser, provide the Admin password (default value is ‘456’) and browse to the Diagnostics > View & Download Logs menu.

000928.720|cfg  |4|00|Prov|Unknown suboption received for DHCP option 43
000928.720|cfg  |4|00|Prov|Invalid STS-URI: ‘http:///anon’
000930.280|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList ‘’ found no records.
000930.281|sip  |4|00|doDnsListLookup(tcp): doDnsSrvLookupForARecordList ‘’ found no records.
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.456|sip  |4|00|Server certificate verification failed, Untrusted Certificate
000930.457|sip  |4|00|MakeTlsConnection: SSL_connect error 1
000930.457|sip  |4|00|MakeTlsConnection: connection failed error -1

The log excerpt above shows what happens when the device is unable to locate the Lync Server certificate provisioning service due to missing or incorrectly configured DHCP Option 43 values.

Check Certificate Store

  • To validate that the root certificate was not successfully downloaded press the physical Home button and then tap the following menu items: Settings > Advanced > Administration Settings > TLS Security > Custom CA Certificates and then scroll down to the bottom of the list to the Application CA 6 container.


  • To perform the same check using the web management interface instead browse to the Settings > Network > TLS menu and check that the Application CA 6 container is blank.



Import Root Certificate

In this scenario the device was not able to automatically download a root certificate and thus cannot establish a secure TLS connection to the Lync Server to begin the registration process.

In the event that this prerequisite configuration is not available or the phone is unable to successfully import the root certificate chain then the certificate(s) must be provided to the phone manually.  Understand that the automatic download process simply uses the last Application CA 6 container as it is the least commonly used container and should prevent conflicts when multiple cert chains are loaded into the device at one time.  When importing certificates manually any of the available Application CA containers can be used; the examples below will utilize Application CA 1.

There are two different processes available for manually providing a root certificate or chain of certificates to the device, either by importing an XML configuration file which contains the certificate hash(es) or by hosting a certificate file on a web server and simply pointing the device to the URL to import it.

XML Method

The approach is basically the same process as documented for the previous 4.0 release by using an XML configuration file, but the file will only contain the few parameters specific to the certificate and not all of the other parameters that used to be required for the older version.

  • Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

  • Create a new XML file as instructed in the previous article, but instead only include the following two parameters: “sec.TLS.customCaCert.1” and “sec.TLS.profileSelection.SIP”..  Save the file (e.g. cert.cfg).

<?xml version="1.0" encoding="utf-8"?>
<!–UCS 4.1 Lync Certificate Import File–>
  <cert sec.TLS.customCaCert.1="" sec.TLS.profileSelection.SIP="ApplicationProfile1" />


If a different container is desired simply update the last digit in the sec.TLS.customCaCert.1 parameter to a value of 1 through 6 to coincide with one of the six Application CA containers.  In addition change the digit in the ApplicationProfile1 value for the second parameter to match.  For example, to store a certificate in container 3 update the configuration as shown below.  This approach may be needed to import a chain of multiple certificates in some environments.


  • Using the web management interface browse to the Utilities > Import & Export Configuration menu and expand Import Configuration.

  • Click Choose File and then locate the XML configuration file created in the previous step (e.g. cert.cfg) and then select Import.


  • If performed correctly, and the user credentials are still stored in the phone then the device should automatically register to Lync within a matters of a few seconds.

Web Server Method

There is also an alternative approach to importing the certificates on the phone that doesn’t require using these XML configuration files as shown above.  Instead the certificate hash file(s) would be placed on a standard web server that the phone can connect to and then the certificate can be imported manually from the web management interface using a URL.  This process is simpler than dealing with the XML configuration file and provide a single distribution point for importing the certificate.

  • Follow the steps at the beginning of this article under the Preparation section entitled “Retrieving the CA Certificate Hash” to export the root certificate hash.

  • Copy the newly created certificate text file (e.g. RootCA.cer) file to an accessible web server directory.  In this example the default root directory (wwwroot) for IIS on a Windows Server was used.  Typically a Lync Server itself cannot be used in this fashion as authentication is required for even HTTP connections to the server, so the default IIS installation on another Windows server was used which allowed for anonymous HTTP connections.


  • Test anonymous HTTP access by connecting to the file’s URL (e.g. http://dc.schertz.local/RootCA.cer) using a web browser.  The contents of the plain text file should be displayed as shown in the following screenshot.


  • Open the web management interface and browse to the Settings > Network > TLS menu.  Select the desired Application CA container and enter the same URL to the certificate file that was used in the previous step ((e.g. http://dc.schertz.local/RootCA.cer).

  • The Install button should activate once a properly formatted URL is entered.  Click Install and then device should report that the SSL certificate was successfully installed.  If the user credentials were already entered into the device and the Lync Base Profile previously selected then the phone will immediately attempt to register to the Lync Server.


If the certificate authority is multi-tiered, meaning there is a Root CA and one or more subordinate Issuing CA then the entire chain may need to imported into the phone, depending on which CA issued and signed the certificate that was used on the Lync Servers.  If loading only the root CA certificate into the device does not resolve the registration failure then try also loading any other CA certificates in the same chain.

Using the web server process previously shown multiple certificates can be imported into separate containers as depicted below.


About Jeff Schertz
Site Administrator


27 Responses to “Importing Certificates on Polycom SIP Phones”
  1. Eric Truax says:

    Is the 4.1 release GA yet. I can't seem to find it on I m trying to setup soundpoint IP 321 phone for testing in the lab.

    • jeffschertz says:

      Eric, as mentioned in the other articles the 4.1.0 Lync-only release for the SoundPoint phones can only be provided through your partner, it was not made available for public download. Future releases which support either Lync or Open SIP registration will be provided on the public download pages (like 4.1.2 for the VVX 500). The Lync-only releases are a limited release to prevent the massive amount of existing Open SIP deployments from unknowingly upgrading to a version that is only supported and tested for Lync registration.

  2. Vince Lance says:

    I am getting almost the same error except that I am getting this instead of connect error 1

    000027.708|sip |4|00|MakeTlsConnection: SSL_connect error 5
    000027.708|sip |4|00|MakeTlsConnection: connection failed error -1

    Do you have any idea what it means?

    • Glen Kösters says:

      Exact same problem here

      • Dave M says:

        I'm having the same issue as the gentlemen above. Exported my internal root CA from Lync FE server in Base64 format and imported it in my VVX500 web interface in Application CA 1. Seeing the same messages in diagnostic logging.

        0113014747|sip |4|00|MakeTlsConnection: SSL_connect error 5
        0113014747|sip |4|00|MakeTlsConnection: connection failed error -1

        • jeffschertz says:

          If you have more than 1 certificate in your root chain you should import all of them into separate slots in the phone.

  3. Magali Sourbes says:

    How do you import for a CX600 or CX500?

  4. Daniel says:

    I am unsuccessful at browsing to the phone's IP address.
    Can you provide instructions?
    I tried http, https.
    What am I missing?

    • jeffschertz says:

      It's as simple as entering the phone's IP address in a browser, and both HTTP and HTTP connections are supported, so you may have a network connectivity issue or bad firmware and/or phone.

      • David says:

        Sometimes if you have a very modern browser and very old phone firmware you can use compatibility mode to get the web page to show up or respond…

  5. TDN says:

    I get the following error in my SoundPoint IP 331 phone with Lync Server 2013. Users cannot register into Lync.

    0704112527|sip |4|03|CTcpSocket::TlsListenThread: SSL_get_error Error code=5
    0704112527|sip |4|03|TLS Listen Thread Exit
    0704112527|sip |5|03|Send SSL_get_error nLen -1 nError 5 = error:00000000:lib(0):func(0):reason(0)
    0704112633|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    My firmware details are as below.
    UC Software Version
    BootROM Software Version

    The problem is that this does not happen in the previous firmware (

    Thanks in advance.

  6. WTS says:

    Hi Jeff

    I've been on this issue for a day or two now. Ever since we had to remove an expired digicert root cert this weekend and run the util to ensure all new root certs are added, we have had issues. Our CX3000's were simple enough to fix, running a hardreset removed the cached root cert chain and they now auto discover fine.
    The cx5500, new or old, or factory reset still have an issue. I have tried the steps above and imported the entire root chain manually and still receive the error below. We did not get the certificate issue you have above, but have always had the same error listed in our logs below. Any pointers would be great!
    0730181429|so |4|03|[soRegistrationC] Login Credentials valid causing SoRegEventLine Changed
    0730181429|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    0730181429|cfg |4|03|Prov|Unknown suboption received for DHCP option 43

    0730181430|sip |*|03|dhcpOption120LyncQuery
    0730181430|utilm|4|03|uBLFUnCompressed: File /data/polycom/ffs0/Config/Local/WebTicket/0/certProvSvc.mex doesn't exist or is empty
    0730181430|app1 |*|03|SoRegistrationEventLineChanged – success lineIndex 0 RegListSize 0
    0730181430|app1 |*|03|SoRegistrationEventLast – new AppRegLineC, Default user
    0730181430|tickt|5|03|soWebticketGetAllUserInfo: soWebTicketServersGet Failed
    0730181430|sip |*|03|Sip Register Usr:CX5500 Dsp:CX5500 Auth:'Using Login Cred' Inx:0

    Thanks in advance!

  7. Nathan says:

    Good afternoon, I have been working all week to get the Pin Authentication working on our VVX 500s. I have followed this and several of your other blog posts to get us to where we are now. I can authenticate with user credentials fine on the device but the Pin fails and one of the messages we receive from the phone logs is : /ffs0/Config/Local/WebTicket/0/certProvSvc.mex doesn't exist or is empty. As well as the GetRootCertChain failed. I am at a loss as to where to go from here.

    • Jeff Schertz says:

      Nathan, does PIN Authentication work on any Lync Phone Edition devices (assuming you have some)?

      • Nathan says:

        No. The only other phones we have are 2 Cx600’s, which we paired via USB, a majority of the phones that are deployed are the vvx 500’s. In the past we simply used the Web interface to program the VVX’s. The need has come up to have the Pin authentication working since our client has multiple offices their staff rotate through.

        • Nathan says:

          here is the log from our most recent test:

          1117125737|cfg |5|00|Prm|Parameter reg.x.auth.useLoginCredentials requested type 2 but is of type 7
          1117125737|cfg |4|00|Web|[cfgSaProcessRequestC::signInToLync] Successfully updated the PIN Auth Login credentials
          1117125737|so |4|00|[soRegistrationC] Login Credentials valid causing SoRegEventLine Changed
          1117125739|app1 |*|00|SoRegistrationEventLineChanged – success lineIndex 0 RegListSize 0
          1117125739|app1 |*|00|SoRegistrationEventLast – new AppRegLineC, Default user
          1117125741|sip |*|00|dhcpOption120LyncQuery numList [1]
          1117125741|utilm|4|00|uBLFUnCompressed: File /ffs0/Config/Local/WebTicket/0/certProvSvc.mex doesn’t exist or is empty
          1117125741|utilm|4|00|uBLFUnCompressed: File /ffs0/Config/Local/WebTicket/0/certProvSvc.mex doesn’t exist or is empty
          1117125741|tickt|5|00|soRootCertGet: couldn’t get the GetRootCertChainURL
          1117125741|tickt|5|00|soWebticketGetAllUserInfo: soWebTicketPinAuthGetRootCertChain Failed
          1117125741|sip |*|00|Sip Register Usr:VVX500 Dsp:VVX 500 Auth:’Using Login Cred’ Inx:0
          1117125741|cfg |5|00|Prm|Parameter genband.E911.registration.line requested type 2 but is of type 0

          • Bryan says:


            10 months later, we are seeing the exact same error. How did you resolve the issue?



  8. Dave Simm says:

    Hi Jeff. Have you got any guides on configuration of device certificates via provisioning server (for purposes of 802.1x authentication with Lync)?



  9. Khaled Nafea says:

    Hi Jeff,

    i have the same issue of root CA not trusted , but scenario is different the phones worked fine for more 2 years now and now we changed internal Root CA infrastructure and use new PKI servers and after requesting certificate to all Lync Front End servers from new CA , VVX 400 phones didn’t add new Root CA and did not working.

    manual import of new CA working fine but not an option as we have more that 2000 phone. but we can use our IIS provisioning server to deploy that.

    why the phone didn’t add new root CA or even replaced old CA with new root CA ?


  10. riyas says:

    After Install my RootCA from my local CA Server,

    But username mismath when polycom device contact to My radius server,

  11. riyas says:

    How to install device certificate manually

  12. Dave says:

    I’ve been unsuccessful in getting a VVX 501 connected to my on prem SfB environment and a test cloud account. It’s at the latest firmware version. I can, however, get Polycom Trios connected.

    I noticed the cert order on the Trios is different – the CA cert is in the Application CA 6 field with subordinate certs moving up the list, where on the VVX 501, the CA cert is in the Application CA1 field with subordinates moving down the list. I found it strange that the order is different, but so far it’s the only thing I see different between the two.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!