Communication between the Communicator Phone Edition and Office Communications Server 2007 is by default encrypted using TLS and SRTP. Therefore the device needs to trust certificates presented by Communications Server 2007 servers. If you're using a well known Public Root CA (see table below), the certificate will automatically be trusted by the device.
If you're using your own private Root CA the device may or may not trust the certificate. Communicator Phone Edition will query AD for objects of category certificationAuthority (CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<tld>). If the query does not return any object or if the objects have empty caCertificate attributes the device will search for AD objects of category pKIEnrollmentService.
If you deployed Windows Certificate Services on a domain member server, that server will probably be already published. If not, to have the Root CA certificate placed in the caCertificate attribute, use the following command:
certutil -f -dspublish <Root CA certificate in .cer file> RootCA
Jens Trier Rasmussen has a nice blog post about this procedure.
But now imagine that you use a private certificate with a deep certificate path, how would you add the full certificate chain to AD?
I first came up with this problem recently, when I had to use a certificate from Saphety, a Portuguese public Certification Authority. Although Saphety certificates are generally trusted, since they are signed by ValiCert, this particularly long certification path (see figure below) was causing problems when used with Communicator Phone Edition. The symptoms were the same as if the certificate was not trusted.
The solution is to publish the whole certificate chain (both the Root CA and all subordinated CAs) in Active Directory. Here are the detailed steps:
And that's it. Communicator Phone Edition should now be able to download the certificate from OCS and trust it. For more information, read Microsoft Communicator Phone Edition Deployment Guide.
I recently had to upgrade 2 LG-Nortel IP Phone 8540 (aka Tanjay or OCPE) to the latest firmware available:
Is it possible to publish to domain below root? Eg root domain is bigcorp.com with branch sub domain country.bigcorp.com and OCS is in country.bigcorp.com... If I try certutil -dspublish (as in the examples) it tries to publish to root domain which I have no access (and no permission) to modify.