We help IT Professionals succeed at work.

Yealink T48S phones download a CA certificate even when disabled

Medium Priority
179 Views
Last Modified: 2020-02-10
Skype for business 2015 Yealink T48S | Trusted Certificate
I need assistance with phones we recently purchased, all T48S handsets with Skype for business firmware.
 
I have tried all 3 latest available firmware and stuck with this version as it offered a simpler login screen for users.
firmware
Scenario:
Phones register correctly for as long as the the trusted certificate is not present.
Periodically the handsets will populate with a CA certificate on line 1 even though everything is set to disabled below and then the users are unable to sign into the phones.

securitypage

i did some googling and found this command but its only relevant for SKype for Business online
https://docs.microsoft.com/en-us/powershell/module/skype/set-csipphonepolicy?view=skype-ps

What is causing the phones to download the internal root domain CA certificate?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Periodically the handsets will populate with a CA certificate on line 1 even though everything is set to disabled below and then the users are unable to sign into the phones.
I think you're misinterpreting what Disabled means on this screen.

The first setting is for Only Accept Trusted Certificates. The wording is the key here, it says nothing about refusing all certificates.

Straight from the T48S admin guide with respect to that setting:
If Enabled is selected, the IP phone will verify the server certificate based on the
trusted certificates list. Only when the authentication succeeds, the IP phone will trust
the server.
If Disabled is selected, the IP phone will trust the server no matter whether the
certificate received from the server is valid or not.

The second setting where you chose Disabled is Common Name Validation. This just gets into whether or not it will validate the Common Name on the certificate. Since you chose Disabled, it will simply skip the step of validating the Common Name.

From the admin guide for the T48S:
If Enabled is selected, the IP phone will verify the CommonName or subjectAltName
of the server certificate.
If Disabled is selected, the IP phone will not verify the CommonName or
subjectAltName of the server certificate

What is causing the phones to download the internal root domain CA certificate?
Basically, it's always going to download this. What it does with it depends on your phone settings.

You might have to tweak the settings to something like this:
Only Accept Trusted Certificates: Enabled
CA Certificates: Default Certificates.

Also, delete that internal CA certificate from the phone.

That should prevent the phone from looking internal CA certificate, and also make the phone look solely at the built in trusted certificates list (which should remain empty).
Commented:
good day

i didnt manage to reply to this, the issue ended up being my frontend server and the certificate assigned to the internal web services.
after correcting this to the internal CA and reboot phones.
problem solved.
Reynaldo SanchezNetworking

Commented:
I have exactly the same problem you had, could you please help me and tell me how you solved it?

I already tried the masnrock solution, but it didn't work

Thank you.