The SPA30x IP phone certificate uses a different Certificate Authority (CA) to the SPA5xxG IP phones.
This means that if you currently have SPA5xxG IP phones working with a Cisco CA issued certificate and add SPA30x IP phones, the SPA30x phone client authentication will fail.
All SPA devices, including the SPA30x will still be able to authenticate the provisioning server's certificate.
Do the following to resolve the SPA30x client authentication issue:
1. Send in a request for a new combinedca.crt certificate as described in the link in steps 2 and 4: https://supportforums.cisco.com/docs/DOC-9852
2. Configure your Apache server with the new combinedca.crt certificate and the SPA30x phones will now be able to perform client authentication.
The SPA30x, SPA50x, SPA90x, and ATAs can now all be authenticated.
<end>