Connect to the Web Service and Download the Root CA Certificate Chain
Topic Last Modified: 2011-01-27
After connecting to the Registrar, the first thing the device does is to download the server’s certificate issuer’s chain of trust. This is stored on the device and is used to verify that the certificate the server uses to authenticate itself with.
Upon receiving the address of the Registrar and Web Services, the device connects to the web server and downloads the root certificate chain. This is a certificate chain of trust linking the web server to the certification authority (CA). This assists the device in requesting a certificate for authentication and also helps improves the efficiency and security of subsequent communication.
Issue 1: Device Cannot Connect to Web Services
Issue: The device displays "Unable to locate Lync Certificate Web service" message after showing "Locating the server to download the certificate" message.
Resolution: The information returned by DHCP may be outdated or incorrect. First, run the synthetic transaction test-CsPhoneBootstrap:
test-CsPhoneBootstrap -TargetFQDN -PIN <pin of the user on the device seeing this failure> -PhoneOrExt <phone or extension of the user on the device seeing this failure> -verbose
This cmdlet shows what DHCP has set, including whether or not it is set up correctly. If it is not set up correctly, correct the URL in the DHCP server option 43, and reset the device so that it begins the connection process again. Alternately, if there is another reason why you cannot connect to the Web Services, resolve that problem first before reattempting to connect with the device.
Issue 2: Cannot Download Root Certificate Chain
Issue: The device displays an "Error downloading certificate chain from OCS Registrar. Please try again" message.
Resolution: Check the administrator setting for the root CA and Certificate Download. If these are not set, enable them.Next, reset the device. For details, see How to Reset a Device. The device cycles through the connection process before trying to download the root certificate chain again. This time, the download should be successful.