I recently was installing OCS in a domain where we for some reason could not use an enterprise CA, so a standalone was installed. This works fine on the MOC clients, but it was a problem when we were trying to use Communicator Phone Edition.

According to the phone ed. deployment guide, the CPE gets the certificate from AD like this:

1.   The device searches for Active Directory directory objects of category certificationAuthority. If the search returns any objects, the device will use the attribute caCertificate. This attribute is assumed to hold the certificate and the device will install the certificate.

The Root CA certificate must be published in the caCertificate for Communicator Phone Edition. To place the Root CA certificate in the caCertificate attribute, use the following command:

certutil -f -dspublish <Root CA certificate in .cer file> RootCA.

2.   If the search for Active Directory objects of category CertificationAuthority does not return any objects, or if the objects have empty caCertificate attributes, the device searches for Active Directory objects of category pKIEnrollmentService in the configuration naming context. Such objects exist if certificate AutoEnrollment was enabled in Active Directory. If the search returns any objects, it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate by using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

If neither of these methods succeeds, the device displays the error message “Cannot validate server certificate” and the user is unable to use the device.

The certutil command described above requires you to have necessary rights in the forest, which we didn’t have.

The solution ended up being:

• Run the server 2k3 reskit tool pkiview.msc
• Right click Enterprise PKI and choose Manage AD Containers
• In the NTAuthCertificates tab, add the root certificate of the standalone CA

That should be it! When we did this the phones started downloading the right certificate.

Edit: This might not be working perfectly. Some phones use an extreme amount of time downloading the right certificate. Might be the messy PKI in the forest being the problem, but i will need to test this some more…