Security certificates are an important element in deploying a solution that ensures the integrity and privacy of communications involving Polycom UC Software devices.

Poly phones come with an authenticated, "built-in" device certificate that you can use. You can also choose to customize your security by requesting additional certificates from a certificate authority of your choice.

You can customize security configuration options to determine type of device certificate used for each of the secure communication options. By default, all operations will use the factory-installed device certificate unless you specify otherwise.

Note: You can install custom device certificates on your phones in the same way custom CA certificates are installed. See Technical Bulletin 17877: Using Custom Certificates With Polycom Phones on Polycom Support for more information.
Certificates are used in the following situations:
  • Mutual TLS Authentication, which allows a server to verify that a device is truly a Poly device (and not a malicious endpoint or software masquerading as a Poly device). This could be used for tasks like provisioning, or SIP signaling using TLS signaling. For example, certain partner provisioning systems use Mutual TLS as does Polycom® Zero Touch Provisioning (ZTP).
  • Secure HTTP (HTTPS) access to the web server on the phone at https://<IP ADDRESS OF PHONE>. The web server is used for certain configuration and troubleshooting activities.
  • Secure communications using the Polycom Applications API.
There are different options for using device certificates on the phone:
  • Two Platform Device Certificates — You can configure these certificates for any of the following purposes: 802.1X Authentication, provisioning, syslog, SIP signaling, browser communications, presence, and LDAP. Certificates for syslog, 802.1X, and provisioning must applied using TLS platform profiles.
  • Six Application Device Certificates — You can configure these certificates for all the same operations as the platform certificates listed above. However, you can’t use TLS application profiles to applied certificates for 802.1X, syslog, and provisioning.