|
How does telephony devices get Root CA installed
|
How does Office Communicator 2007
Phone Edition gets Root CA?
Since communications between Office
Communicator 2007 Phone Edition and Office Communications Server 2007 is encrypted
(by TLS and SRTP), therefore the Office Communicator 2007 Phone Edition needs to
have trusted root CA of the certificate configured on the office communications
server 2007.
If Office Communications Server 2007
does have public certificate configured, the Office Communicator 2007 Phone Edition
will have the required root CAs, and we don’t need to do anything in this regard.
If Office Communications Server 2007
has private certificate (a certificate issued by internal CA) configured, the Office
Communicator 2007 Phone Edition needs the corresponding root CA (or CA chain) installed
on it.
Office Communicator 2007 Phone Edition
has ability to search the internal Root Ca and if found, these devices can download
the same (provided required setting is there in the network).
Office Communicator 2007 Phone Edition
will search for an Active Directory object “CertificationAuthority”, if it gets
the object; it looks for the attribute “caCertificate”. This is the attribute which
holds the Root CA cert. once it gets “CaCertificate”, it installs it. You need to
run the following command in order to ensure that “caCertificate” attribute does
have proper root CA certificate.
certutil -f -dspublish
<Root CA certificate in .cer file> RootCA.
If Office Communicator 2007 Phone
Edition couldn’t install root CA certificate using above method, it will search
for another Active Directory object “pKIEnrollmentService” in the configuration
naming context. If search is successful (Certificate Autoenrollment should be enabled
in Active Directory for that), it will look for the attribute “dNSHostName” to get
the reference of root CA. Once it got reference of the root CA, it’ll use the Web
interface of the Microsoft Certificates Service to retrieve the Root CA certificate
using the HTTP GET command
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.
If neither of these methods succeeds
the device will present the error message "Cannot validate server certificate" and
the user will not be able to use it.
Process Flow:
Related articles:
See how to enable Certificate AutoEnrollment in Active Directory
How to make the Root CA certificate available for Office Communicator 2007 Phone
Edition? : By Jens.
Microsoft Communicator Phone Edition Deployment
Guide
|
