How does telephony devices get
Root CA installed
Office Communicator 2007 Phone Edition gets Root CA?
communications between Office Communicator 2007 Phone
Edition and Office Communications Server 2007 is
encrypted (by TLS and SRTP), therefore the Office
Communicator 2007 Phone Edition needs to have trusted
root CA of the certificate configured on the office
communications server 2007.
Communications Server 2007 does have public certificate
configured, the Office Communicator 2007 Phone Edition
will have the required root CAs, and we don’t need to do
anything in this regard.
Communications Server 2007 has private certificate (a
certificate issued by internal CA) configured, the
Office Communicator 2007 Phone Edition needs the
corresponding root CA (or CA chain) installed on it.
Communicator 2007 Phone Edition has ability to search
the internal Root Ca and if found, these devices can
download the same (provided required setting is there in
Communicator 2007 Phone Edition will search for an
Active Directory object “CertificationAuthority”, if it
gets the object; it looks for the attribute “caCertificate”.
This is the attribute which holds the Root CA cert. once
it gets “CaCertificate”, it installs it. You need to run
the following command in order to ensure that
“caCertificate” attribute does have proper root CA
certutil -f -dspublish
<Root CA certificate in .cer file> RootCA.
Office Communicator 2007 Phone Edition couldn’t install
root CA certificate using above method, it will search
for another Active Directory object
“pKIEnrollmentService” in the configuration naming
context. If search is successful (Certificate
Autoenrollment should be enabled in Active Directory for
that), it will look for the attribute “dNSHostName” to
get the reference of root CA. Once it got reference of
the root CA, it’ll use the Web interface of the
Microsoft Certificates Service to retrieve the Root CA
certificate using the HTTP GET command
neither of these methods succeeds the device will
present the error message "Cannot validate server
certificate" and the user will not be able to use it.
See how to enable Certificate AutoEnrollment in Active
How to make the Root CA certificate available for Office
Communicator 2007 Phone Edition? : By Jens.
Microsoft Communicator Phone Edition Deployment Guide