Problem

Your Aastra IP phone screen reads Bad Certificate.

Cause

This usually indicates that the time set on the phone does not match the HTTPS certificate coming from the server.

Less likely, but also possible, is that your router's DNS settings might need to be adjusted.

Resolution

Before you begin, please note your phone's IP address and administrator password (typically 54321 or 22222), and keep them at hand.

During this procedure, you will be completing the following general steps, as necessary.

  1. Manually add time servers.
  2. Disable Certificate Validation.
  3. Erase the local configuration and restore factory settings.
  4. Set the router DNS to 208.67.222.222 and 8.8.8.8, then power-cycle the network.

You have the option of completing Steps 1 through 3 above either

  • On the phone itself (this does not require a computer, but can be more time-consuming).
  • Via the phone's web interface (this is often more convenient, but requires a computer on the same network as the problematic phone).

Please note that after each step above, you will reboot the phone, at which point the DHCP server may assign it a different IP address. If you elect to complete the steps via the phone's web interface (GUI), you will need to re-check the IP address on the phone itself before beginning each subsequent step (if necessary).

If you find the error clears at any point along the way, you may conclude your troubleshooting.

Choose one of the following methods, either on the phone itself or through the web GUI, and complete the appropriate steps below.

On the Phone

Use the up and down arrow buttons to scroll through the menu options, and the right arrow button to select Enter.

  1. Press Options.
  2. Select Preferences.
  3. Select Time & Date.
  4. Select Time Server.
  5. Select Time Server 1.
  6. Using the phone keypad, enter: 0.pool.ntp.org (use * to input the periods).
  7. Select Done.
  8. Select Time Server 2.
  9. Using the phone keypad, enter: 1.pool.ntp.org (use * to input the periods).
  10. Select Done until you return to the main screen (or press the GOODBYE button).
  11. Press Options.
  12. Select Restart Phone.
  13. Select Restart.
  14. Allow the phone to reboot.
Via Web GUI
  1. Enter the phone's IP address into the browser address bar and log in.
  2. In the lefthand menu, click Basic Settings > Preferences.
  3. Scroll down to the Time and Date Setting section.
  4. Ensure the NTP Time Servers option is enabled (checked).
  5. Set Time Server 1 to: 0.pool.ntp.org.
  6. Set Time Server 2 to: 1.pool.ntp.org.
  7. Click Save Settings.
  8. In the lefthand menu, click Operation > Reset.
  9. In the Phone section, click the Restart button.
  10. Allow the phone to reboot.

If the error persists, continue to the Disable Cert Validation section of this troubleshooting article.

Choose one of the following methods, either on the phone itself or through the web GUI, and complete the appropriate steps below.

On the Phone

Use the up and down arrow buttons to scroll through the menu options, and the right arrow button to select Enter.

  1. Press the Options button.
  2. Select Admin Menu, then press Enter.
  3. Enter the password (typically 54321 or 22222), then press Enter.
  4. Select Config Server.
  5. Select HTTPS Settings.
  6. Select Cert Validation.
  7. Select Enable, then change it from YES to NO to disable the Cert Validation.
  8. Confirm the change.
  9. Select Done until you return to the main screen (or press the GOODBYE​ button).

    Note: You might now see Error 1 displayed on the phone. This is OK.
  10. Press Options.
  11. Select Restart Phone.
  12. Select Restart.
  13. Allow the phone to reboot.
Via Web GUI
  1. Enter the phone's IP address into the browser address bar and log in.
  2. In the left-hand menu, click Advanced Settings > Network.
  3. Scroll down to the HTTPS Settings section.
  4. Ensure the Validate Certificates option is not enabled (i.e., make sure the box is unchecked).
  5. Click Save Settings.

    Note: You might now see Error 1 displayed on the phone. This is OK.
  6. In the left-hand menu, click Operation > Reset.
  7. In the Phone section, click the Restart button.
  8. Allow the phone to reboot.

If the error persists, continue to the Factory Reset section of this troubleshooting article.

Choose one of the following methods, either on the phone itself or through the web GUI, and complete the appropriate steps below.

Note: The following will erase any local settings on the phone, such as speed dials, line key assignments, forwarding, etc.

On the Phone

Use the up and down arrow buttons to scroll through the menu options, and the right arrow button to select Enter.

  1. Press the Options button.
  2. Select Admin Menu, then press Enter.
  3. Enter password (typically 54321 or 22222), then press Enter.
  4. Select Erase Local Config.
  5. Select Erase.
  6. Select Cancel.
  7. Select Factory Default.
  8. Select Default.
  9. Select Restart.
  10. Allow the phone to reboot.

    Note: As the phone reboots, it might display Bad Certificate and Error 1. This is OK.
  11. After the phone is fully rebooted, return to the Time Servers section of this troubleshooting article and once again add the time servers.
Via Web GUI
  1. Enter the phone's IP address into the browser address bar and log in.
  2. In the left-hand menu, click Operation > Reset.
  3. In Current Settings > Remove Local Configuration Settings, click Remove.
  4. In the pop-up window, click OK and wait for the page to refresh.
  5. In the left-hand menu, click Operation > Reset.
  6. In Current Settings > Restore to Factory Defaults, click Restore.
  7. In the pop-up window, click OK and wait for the page to refresh.
  8. In the left-hand menu, click Operation > Reset. (You may be asked to log in again.)
  9. In the Phone section, click the Restart button.
  10. Allow the phone to reboot.

    Note: As the phone reboots, it might display Bad Certificate and Error 1. This is OK.
  11. After the phone is fully rebooted, return to the Time Servers section of this troubleshooting article and once again add the time servers.

If the error persists, continue to the DNS section of this troubleshooting article.

If you have completed all of the previous troubleshooting steps and continue to have problems, the issue may be DNS related.

It is strongly recommended that you or your network/IT administrator

  1. Set your router's DNS to 208.67.222.222 and 8.8.8.8.
  2. Perform a network power cycle.