Make sure the Root CA certificate used to sign the IP Office identity certificate, is installed in the IP Office Trusted Certificate Store:
If the trust policy selected for the IP Office uses a well-known public CA, download the PEM-encoded root CA certificate from the CA's web site and install it in the IP Office Trusted Certificate Store using IP Office Manager security settings .
If the trust policy selected for the IP Office uses its own internal CA, then the root CA certificate will already be in the IP Office Trusted Certificate Store.
Make sure that the IP Office identity certificate includes a Subject Alternative Name field containing the public IP address of the IP Office.
This is needed for the phones to be able to verify the server identity, when the phones are configured to connect to the IP Office's public IP address. It is not needed when the phones are configured through staging to connect to the IP Office's FQDN.
If IP Office is using an identity certificate generated by its own internal CA, then you need to generate a new identity certificate with the public IP address in Subject Alternative Name. Caution: Re-generate only the identity certificate and do not unnecessarily re-generate the root CA certificate, which can be disruptive (see Changing an IP Office Root CA Certificate).
Configure the following parameters on each phone through the phone CRAFT menu: HTTPS Server IP Address, HTTP Server IP Address and Call Server IP Address. All three parameters have to be set to the IP address of the IP Office.
The phone is restarted and contacts the IP Office from which it automatically obtains and installs the Root CA certificate of the IP Office.
