What document are you looking at? As far as I know the only certificate “push” would be done via GPO or some similar mechanism. During the SSL handshake the server certificate is sent to the client and the client will attempt to validate either the cert itself, or the signing authority, against its trust list. If the certificate is not in the trust list then the client will be offered the opportunity to trust/add it to its store, but this is the server cert, not the root cert. If however the CA root cert (public or private) OR the privately signed cert is already in the trust list then it should work with no further intervention or prompting. Once the client trusts the certificate then the key exchange happens. I can’t really think of anytime that it would a solid decision, security wise, to allow a piece of software to install a trusted root certificate. Rob From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Joe Loiacono Sent: Thursday, March 19, 2015 8:29 AM To: cisco-voip@puck.nether.net Subject: [cisco-voip] Call Manager, Jabber, and Certificates
Jabber documentation indicates that the Certificate that the client may require and is 'pushed' from Call Manager is a 'root certificate' that directs the Client to a trusted source that will validate the server's (Call Manager hosts) offered certificate. If the Call Manager certificate is from a public trusted Certificate Authority(CA), and that CA is in the Windows certificate store, can the Certificate 'push' be avoided altogether? Thanks, Joe Loiacono
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
