Upcoming Certificate Changes Impacting Direct Routing Users

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

On September 5, 2023, Microsoft performed a test where all Microsoft Session Initiation Protocol (SIP) endpoints were switched over to use the new certificate requirements previously announced.  The change requirement and test were communicated to Direct Routing customers through Message Center posts as well as Service Health Incidents in the Microsoft Admin Portal (MC540239, TM614271, MC663640 and TM674073).  In addition, Microsoft announced the planned test and upcoming changes in: What's New Direct Routing - Microsoft Teams | Microsoft Learn , and posts were made on LinkedIn and in other techcommunity articles such as: TLS certificate changes to Microsoft 365 services including Microsoft Teams - Microsoft Community Hub.  
Despite the aforementioned measures, on September 5th, several thousand customers experienced call failures, leading to the premature suspension of the test.  Since the prior test was suspended early, on September 19th (starting 9 AM UTC) Microsoft will perform an additional 24h test where all Microsoft SIP endpoints will be switched over to use the new certificates.
If your Session Border Controllers (SBCs) are not properly configured with the new Certificate Authority (CA) your Direct Routing incoming and outgoing calls will fail.
Action needed: Check your SBC(s) or check with your Direct Routing provider to confirm they have added the relevant certificates to your SBC(s) and tested your SBC(s). The New CA must be added in your SBC configuration and old Baltimore CA must be retained; do not replace the old CA.
New Transport Layer Security (TLS) certificates used by Microsoft SIP interfaces will use a different Root Certificate Authority (CA):
Common Name of the CA: DigiCert Global Root G2 Thumbprint (SHA1): df3c24f9bfd666761b268073fe06d1cc8d4f82a4
The new CA certificate can be downloaded directly from DigiCert titled: DigiCert Global Root G2
Following the test scheduled for September 19th, Microsoft will enforce the CA change requirement starting on October 3, 2023.


More information: What's New Direct Routing - Microsoft Teams | Microsoft Learn



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.