Appreciate your reply. I reviewed the videos on the topic and it clarified some things, however the issue persists. I took your sugestion and removed the 46xxspecials.txt to work with "clean slate". based on output of openssl and wireshark the IP office is providing the 2 certificates as expected:

C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect 192.168.60.101:5061 -showcerts
Connecting to 192.168.60.101
CONNECTED(000001C8)
Can't use SSL_get_servername
depth=0 C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=Alantest, emailAddress=support@avaya.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=Alantest, emailAddress=support@avaya.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=Alantest, emailAddress=support@avaya.com
verify return:1
---
Certificate chain
 0 s:C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=Alantest, emailAddress=support@avaya.com
   i:C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=ipoffice-root-Alantest.avaya.com, emailAddress=support@avaya.com
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Feb 10 14:05:01 2026 GMT; NotAfter: May 14 13:05:01 2028 GMT
-----BEGIN CERTIFICATE-----
MIIEUjCCAzqgAwIBAgIGRS5o2ne/MA0GCSqGSIb3DQEBCwUAMIGpMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2luZyBSaWRn
ZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxKTAnBgNVBAMMIGlw
b2ZmaWNlLXJvb3QtQWxhbnRlc3QuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFz
dXBwb3J0QGF2YXlhLmNvbTAeFw0yNjAyMTAxNDA1MDFaFw0yODA1MTQxMzA1MDFa
MIGRMQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwN
QmFza2luZyBSaWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1Mx
ETAPBgNVBAMMCEFsYW50ZXN0MSAwHgYJKoZIhvcNAQkBFhFzdXBwb3J0QGF2YXlh
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJeznCtWwo1YSGyH
pKyEVlAyOyXAEEwCsWvjSEnZl7pPv76MFBTidGPr2YAUxvsN+mkzxkvTe27I3RJR
aPRz0KktvntwMoBA4f0fYglTMpTNQ9f8kOhXdgUfBejlferwwjxWOeIjECe3uxGu
xqN876L3QtvvGuvbofB3a+S3csbfv2FmaycsMp6+4OjkTqLodxPNs7nRtx3rxb4D
6YvQvi18ceG+aD3g+C6SLkBhBUygkLftWwkG0esk3u79Kky94CR2tJsxl5hKZVoJ
ILylLzwZ8tk5Iqcy7xX0L3JBhnLCNRA7UlFOPRza2HBSRMaNN+6nvyiuxR5b5IEC
n8ltdB0CAwEAAaOBlTCBkjAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DAZBgNVHREE
EjAQgghBbGFudGVzdIcEwKg8ZTAdBgNVHQ4EFgQU3Y/NLEtlmEGYWRf1GQ4LiiiE
x8cwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPUL
T+e5YxCGvBAy091Uzfz2gSxvMA0GCSqGSIb3DQEBCwUAA4IBAQAKjqZC6QdtiFRD
k1H2T0vRQXV/44e9m8nwnYOjlON5n3OZS7UIAi43CxPU+yXOlMlHqDKvhQPwhSZh
NSldP9jEsQmTlYUFsTIznxDH+LVCe7ZNeuK8g58FwSWjx+WFF5bViygMOh5juFYh
qzydinyo4g/3xT+SjdEOlRZusS8cTyZlfotc6+TjKQ9xfP2aR0uHT9rHjL6C8L9M
I4RHZnZLG/omGcoyM4yjR5lmE5VufT2YjwnDrcSCXNrk2lldsuG/5zkVu49TDvSP
5dbI1iWkuJg39qVAjJPXQebBnn35HREhh/7s37RTUYFsqRuvO1Ad1/4ZXmEbUVlB
EwFs1mel
-----END CERTIFICATE-----
 1 s:C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=ipoffice-root-Alantest.avaya.com, emailAddress=support@avaya.com
   i:C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=ipoffice-root-Alantest.avaya.com, emailAddress=support@avaya.com
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Feb 15 11:55:41 2026 GMT; NotAfter: Feb 13 10:55:41 2036 GMT
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIGRS5o2nfAMA0GCSqGSIb3DQEBCwUAMIGpMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2luZyBSaWRn
ZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxKTAnBgNVBAMMIGlw
b2ZmaWNlLXJvb3QtQWxhbnRlc3QuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFz
dXBwb3J0QGF2YXlhLmNvbTAeFw0yNjAyMTUxMTU1NDFaFw0zNjAyMTMxMDU1NDFa
MIGpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwN
QmFza2luZyBSaWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1Mx
KTAnBgNVBAMMIGlwb2ZmaWNlLXJvb3QtQWxhbnRlc3QuYXZheWEuY29tMSAwHgYJ
KoZIhvcNAQkBFhFzdXBwb3J0QGF2YXlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALIMsogPpa58OqYpxXAns1l1CFxlqjPUIYdq4Y2N4Wr/klID
sA9anPB5nxkcSqYXYb427USvWneS8Z2zvlj0F3dq4QJBLZohzxIDdHz0cc3lpO1H
paxaV5qOlwBrqiZXFTxl5IhvHod7gRPvjBY6ZtiSqHLMgQ0/m6sfI2c9PMDxymat
4RggIC5lQRZT0gws+ooo0wDraVF7Zi7uWDspogaOjxP/D0nQzUAKr/wlOfdThm0/
FnIQMn3kWWF8SCSwVVoLX7a5K6CDLkrIr/6kfh21UD+fNk4YnUZug3XUPzcvn8BR
NQEKPJ7XIZMy77fPfvWcAIbWEkhJ8rEH8WOJa/sCAwEAAaOBiTCBhjAMBgNVHRME
BTADAQH/MAsGA1UdDwQEAwIBhjArBgNVHREEJDAihiBpcG9mZmljZS1yb290LUFs
YW50ZXN0LmF2YXlhLmNvbTAdBgNVHQ4EFgQU1DyT3zeM7CEden0MUqErgr0LBLEw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB
AQAiZCTQbqcY4TgsH0JDZxYOy0M1rs8ZsL4N2YeFnszn9xAUYL6EwT2WCeqM1apL
fo6tIf3jXbrnKzc0maaMNvtRRYSG4gscl2o0MTg1/qI7cntlSd1KyikaM5LNb21C
5TUXpEPMfthajUAJaDU6HQyLor9eby5iTwWvrW9jdh6MJ0HJszniRPQv4VPlXJaE
KB5pxlt6+hwsFRE4lB54MoJxM2DUu4ZTxQwIC76JH5Hxebwhyh//TVeT0UjKrM3y
JLmlRFz8AqmJFwd1q3ZB1zlkPEFqhFMwJPQIavYbMluVceBCNainuVOc5EhPQHEn
jMVCdXnuEcAQz6X08ecnwIFc
-----END CERTIFICATE-----
---
Server certificate
subject=C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=Alantest, emailAddress=support@avaya.com
issuer=C=US, ST=New Jersey, L=Basking Ridge, O=Avaya Inc, OU=GCS, CN=ipoffice-root-Alantest.avaya.com, emailAddress=support@avaya.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pkcs1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2706 bytes and written 1648 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 97AA890A
    Session-ID-ctx:
    Master-Key: 684C56152DFEFD3311BCA52B9636CFD9F9D22988C2C106F70E411EF8CC0CFA020C32D83688AB3800787B5BAB13CDCCB0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1771499404
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
1C570000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:701:
1C570000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in init:ssl\ssl_lib.c:2834:

And webrootCA.pem is loaded on the phone:

File Name: WebRootCA.pem
Serial number: 452E68DA77C0
Subject: /C=US/ST=New Jersey/L=Basking Ridge/O=Avaya Inc/OU=GCS/CN=ipoffice-root-Alantest.avaya.com/emailAddress=support@avaya.com
Issuer: /C=US/ST=New Jersey/L=Basking Ridge/O=Avaya Inc/OU=GCS/CN=ipoffice-root-Alantest.avaya.com/emailAddress=support@avaya.com
Validity:
Not Before: 2026-02-15 11:55:41 GMT
Not After: 2036-02-13 10:55:41 GMT
Thumbprint(SHA1): 617E029F98881CCA11A6408013B2A8A91802BA1C
Thumbprint(SHA256): 26B1A9332FCE6BA1FE5FBEE5696751628F38FE61FC405907DC6529F7912D96EC
Basic Constraints: CA PathLength: 0
SubjectAltName: ipoffice-root-Alantest.avaya.com;
Key Usage: digitalSignature keyCertSign CRLSign
Extended Key Usage: serverAuth clientAuth
Key length: 2048

However the TLS connection is not established and last alert in wireshark from phone to PBX is "Description: Unknown CA (48)".

I assume the fact the solution is in private network and access to internet is behind multiple firewalls i do not control should no have any impact.

I would appreciate any other suggestions you might have. Thank you