Certificate Requirements Teams Direct Routing SBC

Running Microsoft Teams with Direct Routing for Cloud Voice, you have to deploy a certificate on your SBC. This certificate is used for encryption with TLS. Often there is the question how the certificate must be configured.



SBC Public Certificate Requirements




All deployed SBCs must have a public certificate from a trusted/supported Public CA, there are 3 options to create a certificate.

Security Note:
When generating the CSR, the private key size should be at least 2048.


Support Note:
onmicrosoft.com domain for certificates is not support.



Option 1 - Single SBC

A certificate with a single SBC FQDN.
The SBC FQDN must be in the subject, common name and the Subject Alternate name.



SN/CN
SAN
{Public FQDN of SBC }
 {Public FQDN of SBC }
 


Option 2 - Multiple SBC

A certificate with a multiple SBC FQDN’s.
The SBC FQDN must be in the subject, common name and the Subject Alternate name, which includes the additional SBCs too.



SN/CN
SAN
{Public FQDN of SBC }
{Public FQDN of SBC },
{Public FQDN of Additional SBC },
{Public FQDN of Additional SBC }
 


Option 3 – Single/ Multiple SBCs with wildcard

A Wildcard certificate with a any FQDN in the common name and Subject Alternative Name (SAN), including the wildcard and SBC FQDN


SN/CN
SAN
{Public FQDN of SBC }
{ wildcard },
{Public FQDN of SBC }




Note: If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported.


Supported Public CA


Microsoft currently supports the following Public CA’s only.  Signing a certificate therefore, is only valide by the following external Trusted root CA's


  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Deutsche Telekom
  • DigiCert Global Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

Comments

Popular posts from this blog

Skype for Business, Lync and Exchange Web Services (EWS) and different DNS Domains- Exchange crawling e.g. for presence

Skype for Business Online SIP URI Define or Change for Office 365 Online User

File Share Perfomance for Skype for Business (slow conference join, slow address book)