Root CA Certificate for Communicator Phone Edition
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Office Communications Server 2007 R2 relies on certificates to authenticate servers and to establish a chain of trust between clients and servers and among the different server roles. By default, communication between Communicator Phone Edition and Office Communications Server 2007 R2 is encrypted by using TLS and SRTP. Therefore, the device must be able to trust certificates presented by Communications Server 2007 R2 servers. A means must always exist for the VOIP client to create the TLS secured connection that is required for audio communication on the network.
Publicly Hosted Certificate Authority Solution
If Communications Server 2007 R2 servers use public certificates, the certificates will most likely be automatically trusted by the device, because the device contains the same list of trusted CAs as Windows CE. The table at the end of this topic lists the public certificates that are trusted by Communicator Phone Edition.
Privately Hosted Certificate Authority Solution
Most Communications Server 2007 R2 deployments use internal certificates for the internal Office Communications Server 2007 R2 server roles. In these types of deployments, the Root CA certificate must be installed from the internal CA to the device. Because you cannot manually install the Root CA certificate on the device, the certificate must be downloaded to the device through the network.
Communicator Phone Edition downloads the certificate using the following methods:
The device searches for Active Directory directory objects of category certificationAuthority. If the search returns any objects, the device will use the attribute caCertificate. This attribute is assumed to hold the certificate and the device will install the certificate.
The Root CA certificate must be published in the caCertificate for Communicator Phone Edition. To place the Root CA certificate in the caCertificate attribute, use the following command:
certutil -f -dspublish <Root CA certificate in .cer file> RootCA.If the search for Active Directory objects of category CertificationAuthority does not return any objects, or if the objects have empty caCertificate attributes, the device searches for Active Directory objects of category pKIEnrollmentService in the configuration naming context. Such objects exist if certificate AutoEnrollment was enabled in Active Directory. If the search returns any objects, it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate by using the HTTP GET command
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.
If neither of these methods succeeds, the device displays the error message "Cannot validate server certificate" and the user is unable to use the device.
Communicator Phone Edition Certificates
The following is a list of considerations for issuing certificates to Communicator Phone Edition.
By default, Communicator Phone Edition uses Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP).
Requirement: Trust certificates presented by Office Communications Server 2007 R2 and Exchange Server 2007 server.
Requirement: Root certification authority (CA) chain certificate resides on the device.
No manual installation of certificate on device is possible.
Options:
Use public certificates
Preloaded public certificates on device
Use of enterprise certificates
Receive the Root CA chain from the network
Enterprise Root CA Chain
Communicator Phone Edition can find the certificate by using either the public key infrastructure (PKI) PKI auto-enrollment object in Active Directory Domain Services or through a well-known distinguished name (DN).
Enable PKI auto-enrollment through Enterprise CA.
- Device makes an LDAP request to find pKIEnrollmentService/CA server address and eventually download the certificate over HTTP to Windows CA /certsrv site by using the users credentials.
Use certutil -f -dspublish .cer file location" RootCA to upload certificates to the Configuration NC.
- Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<AD Domain>
The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (objectCategory=pKIEnrollmentService) and searched for attribute is dNSHostname. Be aware that the device downloads the certificate by using HTTP get - http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.
Trusted Authorities Cache
Table 1 lists the public certificates that are trusted by Communicator Phone Edition.
Table 1. Public certificates
| Vendor | Certificate Name | Expiry Date | Key length |
|---|---|---|---|
Comodo |
AAA Certificate Services |
12/31/2020 |
2048 |
Comodo |
AddTrust External CA Root |
5/30/2020 |
2048 |
Cybertrust |
Baltimore CyberTrust Root |
5/12/2025 |
2048 |
Cybertrust |
GlobalSign Root CA |
1/28/2014 |
2048 |
Cybertrust |
GTE CyberTrust Global Root |
8/13/2018 |
1024 |
VeriSign |
Class 2 Public Primary Certification Authority |
8/1/2028 |
1024 |
VeriSign |
Thawte Premium Server CA |
12/31/2020 |
1024 |
VeriSign |
Thawte Server CA |
12/31/2020 |
1024 |
VeriSign |
Comodo |
1/7/2010 |
1000 |
VeriSign |
Class 3 Public Primary Certification Authority |
8/1/2028 |
1024 |
Entrust |
Entrust.net Certification Authority (2048) |
12/24/2019 |
2048 |
Entrust |
Entrust.net Secure Server Certification Authority |
5/25/2019 |
1024 |
Equifax |
Equifax Secure Certification Authority |
8/22/2018 |
1024 |
GeoTrust |
GeoTrust Global CA |
5/20/2022 |
2048 |
GoDaddy |
GoDaddy Class 2 Certification Authority |
6/29/2034 |
2048 |
GoDaddy |
http://www.valicert.com/ |
6/25/2019 |
1024 |
GoDaddy |
Starfield Class 2 Certification Authority |
6/29/2034 |
2048 |