Running Microsoft Teams with Direct Routing for Cloud Voice, you have to deploy a certificate on your SBC. This certificate is used for encryption with TLS. Often there is the question how the certificate must be configured.
All deployed SBCs must have a public certificate from a trusted/supported Public CA, there are 3 options to create a certificate.
Security Note:
When generating the CSR, the private key size should be at least 2048.
Support Note:
onmicrosoft.com domain for certificates is not support.
The SBC FQDN must be in the subject, common name and the Subject Alternate name.
A certificate with a multiple SBC FQDN’s.
The SBC FQDN must be in the subject, common name and the Subject Alternate name, which includes the additional SBCs too.
A Wildcard certificate with a any FQDN in the common name and Subject Alternative Name (SAN), including the wildcard and SBC FQDN
Note: If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported.
Microsoft currently supports the following Public CA’s only. Signing a certificate therefore, is only valide by the following external Trusted root CA's
SBC Public Certificate Requirements
All deployed SBCs must have a public certificate from a trusted/supported Public CA, there are 3 options to create a certificate.
Security Note:
When generating the CSR, the private key size should be at least 2048.
Support Note:
onmicrosoft.com domain for certificates is not support.
Option 1 - Single SBC
A certificate with a single SBC FQDN.The SBC FQDN must be in the subject, common name and the Subject Alternate name.
SN/CN | SAN |
{Public FQDN of SBC } | {Public FQDN of SBC } |
Option 2 - Multiple SBC
A certificate with a multiple SBC FQDN’s. The SBC FQDN must be in the subject, common name and the Subject Alternate name, which includes the additional SBCs too.
SN/CN | SAN |
{Public FQDN of SBC } | {Public FQDN of SBC }, {Public FQDN of Additional SBC }, {Public FQDN of Additional SBC } |
Option 3 – Single/ Multiple SBCs with wildcard
A Wildcard certificate with a any FQDN in the common name and Subject Alternative Name (SAN), including the wildcard and SBC FQDNSN/CN | SAN |
{Public FQDN of SBC } | { wildcard }, {Public FQDN of SBC } |
Note: If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported.
Supported Public CA
Microsoft currently supports the following Public CA’s only. Signing a certificate therefore, is only valide by the following external Trusted root CA's
- AffirmTrust
- AddTrust External CA Root
- Baltimore CyberTrust Root
- Buypass
- Cybertrust
- Class 3 Public Primary Certification Authority
- Deutsche Telekom
- DigiCert Global Root CA
- Entrust
- GlobalSign
- Go Daddy
- GeoTrust
- Verisign, Inc.
- Starfield
- Symantec Enterprise Mobile Root for Microsoft
- SwissSign
- Thawte Timestamping CA
- Trustwave
- TeliaSonera
- T-Systems International GmbH (Deutsche Telekom)
- QuoVadis