Odd Cert Problem RRS feed

  • Question


    I got public certificates from DigiCert because it was on the microsoft recommended list. ( they indirectly come from Entrust)


    These certs work fine for Edge interfaces, my clients dont have to install the certs.

    And the polycom CX700's trust them for phone calls, so we have no issue there.


    The really odd thing is the CX700 phones do not trust the CA for the UpdateServer.

    And the cert is issued from DigiCert.


    CX700 shows

    Last Update Status: (0x2f0d/0) 


    which as far as i can tell is ERROR_INTERNET_INVALID_CA.

    I set my update server URL to a verisign cert on another domain, and it was able to connect without issue.


    Im guessing the WinInet layer of Windows CE does not follow the full certification path, yet the RTC stack does?


    Can someone elaborate on this..

    Its really frustrating if im going to have to get certs from 2 different providers on this.


    The strange part to me is that the phone has no problems accessing the Exchange autodisovery service( which is just a SAN name on the cert )... , getting voicemail, etc..

    yet it has such problems with the UpdateService.





    Monday, January 7, 2008 7:15 PM

All replies

  • Try to Import the root Cetificate of DigiCert to the Polycom CX 700

    Tuesday, February 5, 2008 11:50 AM

    In this case you dont seem to have much options. Either you install the root CA of digicert in the phone or use the verisign certs!!!




    Ram K Ojha
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    Wednesday, February 6, 2008 1:43 AM
  • I have a LG-Nortel IP8540 that I use primarily from the Internet and also have a certificate for our Update Service from DigiCert. I have had the same error message as you describe above since we installed our Update Service in December 2007. On the phone System Information screen:

        Last Update Status: (0x2f0d/0)

    We use ISA 2006 as our reverse proxy so that is where the TLS connection for the Update Service is first connected. This should also work for other reverse proxy devices as long as they are capable of importing a certificate.

    In general you need to obtain a copy of the "DigiCert Global CA" and install it as an Intermediate certificate on the first server that terminates the TLS connection. This is the 12-step program I used to get the Intermediate certificate and install it.

    1.) On the ISA 2006 server (or first server that terminates the TLS connection) open an mmc console and add Certificates (Local Computer)
    2.) In the mmc, navigate to Personal -> Certificates
    3.) Double-click on any one of the certificates issued by "
    DigiCert Global CA".
     Select the Certification Path tab.
    5.) Double-click on "
    DigiCert Global CA" and select the Details tab.
    6.) Select "Copy to File..." ,  "Next" , "Next", C:\DigiCertGlobalCA.cer , "Next", Finish, OK, OK, OK.
    7.) You now have a copy of the Intermediate certificate.
    8.) In the mmc, navigate to Intermediate Certificatation Authorities -> Certificates
    9.) Right-click on the Certificate folder and select All Tasks -> Import...
    10.) "Next", C:\DigiCertGlobalCA.cer , "Next", "Next", Finish, OK.
    11.) You should now see "
    DigiCert Global CA" in the list of Intermediate certificates
    12.) You must now reboot the ISA 2006 server for the change to take affect.

    To test the fix, power off your Internet connected Polycom or LG-Nortel phone and wait a few seconds then plug it back in. After you log back into the phone goto the System Information screen and you should now see:

        Last Update Status: (0x0/200)

    I am also now able to send logs from the phone to the update server.

    Hope this works for all of you!
    Sunday, January 11, 2009 5:06 AM