Starting with openUC and sipXecs 4.6.0 Update 3 HTTPS provisioning is possible with Polycom phones running firmware 4.0 and later.

Overview

In order for the phone and sipXecs to communicate securely, a certificate must be used. We distinguish two cases:

  1. using self signed certificate - we'll discuss about using sipXecs default self signed certificate
  2. using a certificate signed by a well known certificate authority.

In order to setup a phone to provision using HTTPS you must select Server Type: HTTPS under Admin Settings > Network > Provisioning Server.

Secure provisioning  using sipXecs self signed certificate

Please keep in mind that if you use a self signed certificate you will always need an "unsecure" step, that being uploading the certificate to the phone.

Follow the steps here: Installing the Root CA Server Certificate on the Polycom Phone to install the root CA on the phone. If you already have the phone running 4.0 firmware revision registered in sipXecs you can send profiles to the phone, and the certificate will be uploaded automatically to the phone. Then you may change the provisioning server type to use HTTPS. The phone will provision from then forward securely.

Auto-provisioning

In order to auto-provision a phone (for instance out of the box) using the self signed certificate you need to you need to upload the root CA on the phone first. You don't even need to register with sipXecs in order to do this, you just need to boot the phone in the same network with sipXecs and follow the above steps to upload the CA. Once the root CA is on the phone you may change the provisioning server type to use HTTPS. The phone will auto-provision securely.

Secure provisioning  using a certificate signed by a well known CA

The best option to provision securely is to use a certificate signed by a well known CA. The phone has the most common root CAs installed from the factory and the phone will certify the server's certificate. So in this case there is no extra "unsecure" step to follow, and secure provisioning (including auto-provisioning) can be achieved out-of-the-box.

Trusted Certificate Authority List

The phone trusts the following certificate authorities by default: