Certificates

Security certificates are an important element in deploying a solution that ensures the integrity and privacy of communications involving Polycom® UC Software devices.

Polycom phones are installed with a Polycom-authenticated “built-in” device certificate that you can use or you can choose to customize your security by requesting additional certificates from a certificate authority of your choice.

You can customize security configuration options to determine type of device certificate is used for each of the secure communication options. By default, all operations will utilize the factory-installed device certificate unless you specify otherwise.

Note: You can install custom device certificates on your Polycom phones in the same way custom CA certificates are installed. See Technical Bulletin 17877: Using Custom Certificates With Polycom Phones for more information.
Certificates are used in the following situations:
  • Mutual TLS Authentication: Allows a server to verify that a device is truly a Polycom device (and not a malicious endpoint or software masquerading as a Polycom device). This could be used for tasks like provisioning, or SIP signaling using TLS signaling. For example, certain partner provisioning systems use Mutual TLS as does Polycom® Zero Touch Provisioning (ZTP).
  • Secure HTTP (https) access to the web server on the phone at https://<IP ADDRESS OF PHONE>. The web server is used for certain configuration and troubleshooting activities.
  • Secure communications utilizing the Polycom Applications API.
There are different options for utilizing device certificates on the phone:
  • Two platform device certificates. These certificates are loaded onto the device by the system administrator and can be configured to be used for any of the following purposes: 802.1X Authentication, provisioning, syslog, SIP signaling, browser communications, presence, and LDAP. Certificates for syslog, 802.1X, and provisioning must applied using TLS platform profiles.
  • Six application device certificates. These certificates are loaded onto the device by the system administrator and can be used for all of the operations listed above for platform certificates. You cannot use TLS application profiles to applied certificates for 802.1X, syslog, and provisioning.
    Note: For details on installing digital credentials on VVX phones, see Device Certificates on Polycom SoundPoint IP, SoundStation IP, and VVX Phones: Technical Bulletin 37148 at Polycom Engineering Advisories and Technical Notifications.