Microsoft recently made a significant change that could impact organisations services powering messaging, meetings, telephony, voice, and video to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current Root CA will expire in May 2025. Affected endpoints include all Microsoft SIP endpoints used for PSTN traffic that utilize TLS connectivity and in particular using their Microsoft Direct Routing Services.
The transition to certificates issued by the new CA will begin in July 2023.
Microsoft have replaced the Baltimore CyberTrust Root certificate with the DigiCert Global Root G2 certificate. While this may seem like a minor update, it will cause disruptions for companies that use Session Border Controllers (SBCs) with the Baltimore certificate if not updated.
Today, the TLS certificates used by Microsoft SIP interfaces chain up to the following Root CA:
Common Name of the CA: Baltimore CyberTrust Root
Thumbprint (SHA1): d4de20d05e66fc53fe1a50882c78db2852cae474
Why this Change Matters
The Baltimore CyberTrust Root certificate has been a widely used root certificate for many years, but it has now reached its end of life. As a result, Microsoft has decided to replace it with the DigiCert Global Root G2 certificate. While this change is necessary for maintaining security, it means that companies using SBCs with the Baltimore CyberTrust Root certificate will need to update their systems. Failure to do so could result in Direct Routing Services no longer working.
What is Microsoft Direct Routing?
Microsoft Direct Routing Services is a feature of Microsoft Teams that allows companies to connect their own SBCs to Microsoft's cloud-based phone system. This allows organisations to make and receive phone calls using the Microsoft Teams platform. Microsoft Direct Routing Services is an essential feature for companies that rely on Microsoft Teams as their primary communication platform.
How to Update SBCs
To ensure that Microsoft Direct Routing Services continue to function properly, organisations will need to update their SBCs with the DigiCert Global Root G2 certificate. Microsoft recommends that companies reach out to their SBC support vendors to get the latest firmware which contains critical updates to the features and functionality. The certificate can be updated and will ensure that Microsoft Direct Routing Services continue to work as expected.
New TLS certificates used by Microsoft SIP interfaces will now chain up to the following Root CA:
Common Name of the CA: DigiCert Global Root G2
Thumbprint (SHA1): df3c24f9bfd666761b268073fe06d1cc8d4f82a4
The new CA certificate can be downloaded directly from DigiCert: DigiCert Global Root G2
Conclusion
In conclusion, the change from the Baltimore CyberTrust Root certificate to the DigiCert Global Root G2 certificate is a necessary update for maintaining service. However, it is important for organisations using SBCs with the Baltimore certificate to update their systems to ensure that Direct Routing Services continue to work properly. Failing to do so will result in disruptions to communication services, which could impact business operations. Therefore, it is critical that companies take action to update their systems as soon as possible.
コメント