Certificate Requirements Teams Direct Routing SBC

Running Microsoft Teams with Direct Routing for Cloud Voice, you have to deploy a certificate on your SBC. This certificate is used for encryption with TLS. Often there is the question how the certificate must be configured.

SBC Public Certificate Requirements

All deployed SBCs must have a public certificate from a trusted/supported Public CA, there are 3 options to create a certificate.

Security Note:
When generating the CSR, the private key size should be at least 2048.

Support Note:
onmicrosoft.com domain for certificates is not support.

Option 1 - Single SBC

A certificate with a single SBC FQDN.
The SBC FQDN must be in the subject, common name and the Subject Alternate name.

{Public FQDN of SBC }
 {Public FQDN of SBC }

Option 2 - Multiple SBC

A certificate with a multiple SBC FQDN’s.
The SBC FQDN must be in the subject, common name and the Subject Alternate name, which includes the additional SBCs too.

{Public FQDN of SBC }
{Public FQDN of SBC },
{Public FQDN of Additional SBC },
{Public FQDN of Additional SBC }

Option 3 – Single/ Multiple SBCs with wildcard

A Wildcard certificate with a any FQDN in the common name and Subject Alternative Name (SAN), including the wildcard and SBC FQDN

{Public FQDN of SBC }
{ wildcard },
{Public FQDN of SBC }

Note: If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported.

Supported Public CA

Microsoft currently supports the following Public CA’s only.  Signing a certificate therefore, is only valide by the following external Trusted root CA's

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Deutsche Telekom
  • DigiCert Global Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis


Popular posts from this blog

Skype for Business, Lync and Exchange Web Services (EWS) and different DNS Domains- Exchange crawling e.g. for presence

Teams Admin Center Error Code: SECURITY_ZONE_ERROR

Lync 2013 Client, Desktop Sharing shows blank screen (Windows 7, Windows 8, Windows 8.1)