Certificate Authority change for Microsoft Teams
Microsoft 365 is updating services powering messaging, meetings, telephony, voice, and video to use TLS certificates from a different set of Root Certificate Authorities (CAs). The current Root CA expires in May 2025. If you are using the Microsoft Teams integration with Genesys Cloud, you should review the SIP certificate to MSPKI Certificate Authority change section of the What’s new for Direct Routing document from Microsoft. As you do, check the details to make sure that your intermediary SBC trusts the DigiCert Global Root G2 CA certificate so that Microsoft Teams Direct Routing and Genesys Cloud BYOC trunk continue to work after the Microsoft change.
AudioCodes SBC
If you are using an AudioCodes SBC between your Microsoft Teams Direct Routing and Genesys Cloud, you can use the following steps to review and update your SBC to ensure that it will trust the Microsoft connection after their change.
- Determine which IP Interface your SBC is using to connect to Microsoft Teams Direct Routing:
- Browse to Signaling & Media > SBC > Routing > IP-to-IP Routing.
- Select the route used to route Genesys Cloud calls to Microsoft Teams Direct Routing.
- Find the value under Action > Destination SIP Interface (if defined). Note: If a Destination SIP Interface is not defined, the connection used the same interface on which the call was received.
- Determine which TLS Context your SBC is using based on the SIP Interface:
- Browse to Signaling & Media > Core Entities > SIP Interfaces.
- Select the SIP Interface that your SBC is using to connect to Microsoft Teams Direct Routing that you found in step 1.
- Find the value under Security > TLS Context Name.
- This value is the name of the TLS Context used for Microsoft Teams Direct Routing.
- Determine if the DigiCert Global Root G2 certificate is currently trusted:
- Browse to IP Network > Security > TLS Contexts.
- Select the TLS Context that you found in step 2. This value is used for your Microsoft Teams SIP connection.
- Select Trusted Root Certificates at the bottom.
- The listed certificates are trusted by this context.
- If you see a certificate with the subject DigiCert Global Root G2, your SBC is ready and you can skips steps 4 and 5.
- If you do not see that specific certificate, continue with step 4.
- Download the DigiCert Global Root G2 certificate as a PEM file:
- Download the certificate here.
- Save the PEM file to your computer.
- Add the new DigiCert Global Root G2 root certificate to the Trust:
- Browse to IP Network > Security > TLS Contexts.
- Select the TLS Context that you found in step 2. This is used for your Microsoft Teams SIP connection.
- Select Trusted Root Certificates at the bottom.
- Select Import.
- Select the DigiCert Global Root G2 PEM file you downloaded and saved.
- The DigiCert Global Root G2 certificate should appear in the list of trusted certificates.
- Save your SBC configuration for the import to take effect.
Other SBCs
If you are using another brand of SBC between your Microsoft Teams Direct Routing and Genesys Cloud, you need to check with your administrator or provider to make sure your devices are ready for the Microsoft CA change.