If Communications Server 2007 R2 servers use public certificates, the certificates will most likely be automatically trusted by the device, because the device contains the same list of trusted CAs as Windows CE. The table at the end of this topic lists the public certificates that are trusted by Communicator Phone Edition.

Most Communications Server 2007 R2 deployments use internal certificates for the internal Office Communications Server 2007 R2 server roles. In these types of deployments, the Root CA certificate must be installed from the internal CA to the device. Because you cannot manually install the Root CA certificate on the device, the certificate must be downloaded to the device through the network.

Communicator Phone Edition downloads the certificate using the following methods:

1. The device searches for Active Directory directory objects of category certificationAuthority. If the search returns any objects, the device will use the attribute caCertificate. This attribute is assumed to hold the certificate and the device will install the certificate.
   
   The Root CA certificate must be published in the caCertificatefor Communicator Phone Edition. To place the Root CA certificate in the caCertificateattribute, use the following command:
   
   

   	Copy Code
   certutil -f -dspublish <Root CA certificate in .cer file> RootCA.

2. If the search for Active Directory objects of category CertificationAuthoritydoes not return any objects, or if the objects have empty caCertificateattributes, the device searches for Active Directory objects of category pKIEnrollmentServicein the configuration naming context. Such objects exist if certificate AutoEnrollment was enabled in Active Directory. If the search returns any objects, it will use the dNSHostNameattribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate by using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.
   
   

If neither of these methods succeeds, the device displays the error message "Cannot validate server certificate" and the user is unable to use the device.

The following is a list of considerations for issuing certificates to Communicator Phone Edition.

• By default, Communicator Phone Edition uses Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP).
  
  
  • Requirement: Trust certificates presented by Office Communications Server 2007 R2 and Exchange Server 2007 server.
    
    
  • Requirement: Root certification authority (CA) chain certificate resides on the device.
    
    
• No manual installation of certificate on device is possible.
  
  
• Options:
  
  
  • Use public certificates
    
    
  • Preloaded public certificates on device
    
    
  • Use of enterprise certificates
    
    
  • Receive the Root CA chain from the network
    
    

Communicator Phone Edition can find the certificate by using either the public key infrastructure (PKI) PKI auto-enrollment object in Active Directory Domain Services or through a well-known distinguished name (DN).

• Enable PKI auto-enrollment through Enterprise CA.
  
  
  • Device makes an LDAP request to find pKIEnrollmentService/CA server address and eventually download the certificate over HTTP to Windows CA /certsrv site by using the users credentials.
    
    
• Use certutil -f -dspublish .cer file location" RootCA to upload certificates to the Configuration NC.
  
  
  • Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<AD Domain>
    
    

The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (objectCategory=pKIEnrollmentService) and searched for attribute is dNSHostname. Be aware that the device downloads the certificate by using HTTP get - http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

Table 1 lists the public certificates that are trusted by Communicator Phone Edition.

Table 1.   Public certificates