Is it common practice that vendors put own root certificates on customer devices?
At work, we are deploying a new VoIP solution, and as part of that, we are supposed to install a custom root certificate on our computers and mobile devices. The manufacturer of that VoIP solution has the private key to that. The certificate is suitable for e.g. validating TLS connections.
While I have no reason not to trust the external company, I’ve never needed to do something like this and find this insecure (and unnecessary, for that matter). Concretely, I’ve never touched my /etc/ssl/certs except for adding self-signed test certs.
I ask whether this is common practice out there? Are there situations where one has got to install a new root CA, controlled by an external vendor, on work and/or private devices, and this is considered acceptable in the security community?
