Index

» Home

» 

» OCS Deployment

» Front End Server

» Edge Server

» Web Conferencing Server

» Archiving Server

» Certificates

» Communicator Web Access

» A/V Server

» VOIP 'N' Mediation

» Group Chat Server

» Migration

» Exchange UM

» OCS Issues

» OCS Disaster Recovery

» Miscellaneous

 

 

 

How does telephony devices get Root CA installed

How does Office Communicator 2007 Phone Edition gets Root CA?

Since communications between Office Communicator 2007 Phone Edition and Office Communications Server 2007 is encrypted (by TLS and SRTP), therefore the Office Communicator 2007 Phone Edition needs to have trusted root CA of the certificate configured on the office communications server 2007.

If Office Communications Server 2007 does have public certificate configured, the Office Communicator 2007 Phone Edition will have the required root CAs, and we don’t need to do anything in this regard.

If Office Communications Server 2007 has private certificate (a certificate issued by internal CA) configured, the Office Communicator 2007 Phone Edition needs the corresponding root CA (or CA chain) installed on it.

Office Communicator 2007 Phone Edition has ability to search the internal Root Ca and if found, these devices can download the same (provided required setting is there in the network).

Office Communicator 2007 Phone Edition will search for an Active Directory object “CertificationAuthority”, if it gets the object; it looks for the attribute “caCertificate”. This is the attribute which holds the Root CA cert. once it gets “CaCertificate”, it installs it. You need to run the following command in order to ensure that “caCertificate” attribute does have proper root CA certificate.

certutil -f -dspublish <Root CA certificate in .cer file> RootCA.

If Office Communicator 2007 Phone Edition couldn’t install root CA certificate using above method, it will search for another Active Directory object “pKIEnrollmentService” in the configuration naming context. If search is successful (Certificate Autoenrollment should be enabled in Active Directory for that), it will look for the attribute “dNSHostName” to get the reference of root CA. Once it got reference of the root CA, it’ll use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

If neither of these methods succeeds the device will present the error message "Cannot validate server certificate" and the user will not be able to use it.

Process Flow:

Related articles:

See how to enable Certificate AutoEnrollment in Active Directory

How to make the Root CA certificate available for Office Communicator 2007 Phone Edition? : By Jens.

Microsoft Communicator Phone Edition Deployment Guide

 
OCS Made Easy!
 
Copyright, OCSpedia.com. Microsoft, MS-DOS, Windows, Windows 2000, Windows XP, Windows Server 2003, Windows NT, Windows 98, Windows 95 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and other countries. All other names are registered trademarks of their respective companies. Should any right be ran afoul, it is totally unintentional. Send us an e-mail and we will promptly and gladly rectify it. All external sites will open in a new browser. Ocspedia.com does not endorse external sites and is not responsible for their content. For broken links, site problems or any feedback - please send an email at uc@ocspedia.com.