How-to Manually Install Certificates on a Polycom RMX


During some recent Polycom RMX work, it was discovered that the RMX's (2000 and 1800) would not accept certificates into the trust store with an expiration past the year 2038, seemingly related to the article here. After some triage, I found it was possible to work around the issue of using RMX Manager which would not take the certificate by using SSH/WinSCP to manually update the required .crt and .xml certificate bundle and configuration files respectively, which I've detailed below.

Enable SSH

  • Log into the RMX and create a user account with username and password of SUPPORT
  • Log into the RMX again using the SUPPORT user
  • Expand Administration > SSH > Select Turn On SSH

Retrieve the existing ca-bundle-client.xml and ca-bundle-client.crt files and Update them

The ca-bundle-client.xml file contains XML formatted details of the trusted certificates. The ca-bundle-client.crt file is a file containing the PEM of each trusted certificate.

SSH to the RMX and log in with user rt3p1aa (Polycom support will provide the built-in password). Once logged in, su into root (again Polycom support can provide this password).

Navigate to the /config/keys/ca_cert directory

cd /config/keys/ca_cert
ls -l

Before continuing, create a backup of the original files.

cp ca-bundle-client.crt ca-bundle-client.crt.orig
cp ca-bundle-client.xml ca-bundle-client.xml.orig

Using vi edit the ca-bundle-client.crt file, and append the PEM formatted version of the certificate you want to install on the RMX. Ensure a new line is left between the existing PEM and the one you are entering.

Copy the ca-bundle-xml to the /tmp directory. From their use WinSCP or equivalent, to download a copy of the file.

cp ca-bundle-client.xml /tmp/

Using Notepad++ or equivalent, edit the ca-bundle-client.xml file. Following the same syntax as existing certificates, update the file with details of the new certificate. The XML should end with the closing tag </CERTIFICATE_AUTHORITHY_LIST>. An example is shown below, noting the opening tab <CERTIFICATE_DETAILS> follows directly after the preceding certificate block which ends with the tag </CERTIFICATE_DETAILS>.

<CERTIFICATE_DETAILS><CERTIFICATE>-----BEGIN CERTIFICATE-----
MIIF8TCCA9mgAwIBAgIIAPpXrd66weUwDQYJKoZIhvcNAQENBQAwgckxCzAJBgNV
BAYTAkFVMSUwIwYDVQQIExxBdXN0cmFsaWFuIENhcGl0YWwgVGVycml0b3J5MRIw
EAYDVQQHEwlCZWxjb25uZW4xIzAhBgNVBAoTGkRlcGFydG1lbnQgb2YgSG9tZSBB
ZmZhaXJzMScwJQYDVQQLEx5JZGVudGl0eSBhbmQgQWNjZXNzIE1hbmFnZW1lbnQx
MTAvBgNVBAMTKEhvbWUgQWZmYWlycyBJbnRlcmFjdGl2ZSBJbnRlcm1lZGlhdGUg
Q0EwHhcNMTgwNTAyMDYwNzAwWhcNMjUwNTAxMDYwNzAwWjCByzELMAkGA1UEBhMC
QVUxJTAjBgNVBAgTHEF1c3RyYWxpYW4gQ2FwaXRhbCBUZXJyaXRvcnkxEjAQBgNV
BAcTCUJlbGNvbm5lbjEjMCyjbSyb23oIWae/nsj
VmIeDUqZC1jPYKbPM8BTA9IWJWSjLV670ATNPF7xBHkmYMYMG0ISZnRebqmWuvMY
lvLx/RmSzPS0G1X4TykpOImo8oioCfiJfN11HyddWoXqQmMJ+i4vTRjTm1h+GmvE
4hfPLVTUZCUzdl2TtbQC6maOtu9K/5aMXAzmWzWi6zSI8b10CIdGBZOV6lI6ol0B
rwJ0z2ycB3I0kerpR3mOY3EkQJ7A1cQrp0MS804rAep9ggGu1EEek/T1mSbuHp+6
PQ16SCr7mnkGfwrdcjlIyg066PSEGMf7C26jgXiTUShYCl//zQ==
-----END CERTIFICATE-----
</CERTIFICATE><CERTIFICATE_FULL_DETAILS>Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:57:XX:XX:XX
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=AU, ST=NSW, L=Sydney, O=Jason Neurohr, OU=Infra, CN=Jason Neurohr Intermediate CA
Validity
Not Before: May 2 06:07:00 2018 GMT
Not After : May 1 06:07:00 2040 GMT
Subject: C=AU, ST=NSW, L=Sydney, O=Jason Neurohr, OU=Infra, CN=Jason Neurohr Issuing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
XX:XX:XX:XX:XX:XX:XX:XX
X509v3 Basic Constraints:
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:XX:XX:XX:XX:XX:XX:XX:XX

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.domain/pki/JasonNeurohrIssuingCA.pem.crl

X509v3 Subject Alternative Name:
email:pki@JasonNeurohr.domain
Signature Algorithm: sha512WithRSAEncryption
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
</CERTIFICATE_FULL_DETAILS><CRL_DISTRIBUTION_POINTS><CDP>http://crl.domain/pki/JasonNeurohrIssuingCA.pem.crl</CDP></CRL_DISTRIBUTION_POINTS><ORGANIZATION_NAME_ISSUER>Jason Neurohr</ORGANIZATION_NAME_ISSUER><ORGANIZATION_NAME_SUBJECT>Jason Neurohr</ORGANIZATION_NAME_SUBJECT><CERTIFICATE_SUMMARY><SERIAL_NUMBER>XYZ</SERIAL_NUMBER><ISSUED_TO>Jason Neurohr Issuing CA</ISSUED_TO><ISSUED_BY>Jason Neurohr Intermediate CA</ISSUED_BY><CERTIFICATE_STATUS>ok</CERTIFICATE_STATUS><SERVICE_NAME></SERVICE_NAME><VALID_FROM>2018-05-02T06:07:00</VALID_FROM><VALID_TO>2040-05-01T06:07:00</VALID_TO></CERTIFICATE_SUMMARY></CERTIFICATE_DETAILS></CERTIFICATE_AUTHORITHY_LIST>

Once the ca-bundle-client.xml has been updated, using WinSCP or equivalent, copy it back to the RMX /tmp directory. From there using SSH move it back into the /config/keys/ca_cert directory, and update the owner (note if you used WinSCP to make the changes to the .crt file also, its owner needs to be updated as well)

cp /tmp/ca-bundle-client.xml /config/keys/ca_cert/
chown mcms:mcms ca-bundle-client.xml
chown mcms:mcms ca-bundle-client.crt

At this point reboot the RMX. Once it comes back online the trust store should include the manually added certificates.