How to make the Root CA certificate available for Office Communicator 2007 Phone Edition?

  • Article

Communication between the Office Communicator 2007 Phone Edition device (LG-Nortel model and Polycom model) and Office Communications Server 2007 is by default encrypted using TLS and SRTP. Therefore the device needs to trust certificates presented by OCS 2007 servers. If the OCS 2007 servers use public certificates they will most like be automatically trusted by the device, since it contains the same list of trusted CA's as Windows CE. However since most OCS 2007 deployments use internal certificates for the internal OCS 2007 server roles there is a need to install the Root CA certificate from the internal CA to the device. It is not possible to manually install the Root CA certificate on the device, so it needs to come via the network. Office Communicator 2007 Phone Edition is able to download the certificate using two methods.

The device will search for AD objects of category certificationAuthority. If the search returns any objects it will use the attribute caCertificate. That attribute is assumed to hold the certificate and the device will install the certificate. So how do one get the Root CA certificate placed in the caCertificate attribute? Quite simple - you use the command certutil -f -dspublish <Root CA certificate in .cer file> RootCA. This command will publish the certificate as required by Office Communicator 2007 Phone Edition.

If the search for AD objects of category certificationAuthority does not return any or if the objects have empty caCertificate attributes the device will search for AD objects of category pKIEnrollmentService in the configuration naming context. Such objects exists if Certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate using the HTTP GET command https://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

If neither of these methods succeeds the device will present the error message "Cannot validate server certificate" and the user will not be able to use it.