Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
7
Helpful
3
Replies

CUBE: MS Teams Direct Routing: Baltimore to DigiCert Global Root

MARTIN STREULE
Spotlight
Spotlight

‎09-12-2023 12:25 AM - edited ‎09-13-2023 01:39 AM

Just a heads-up.

Microsoft moves away from Baltimore Certificate to DigiCert Global Root G2.
https://learn.microsoft.com/en-us/purview/encryption-office-365-tls-certificates-changes?view=o365-worldwide

If you do not have this certificate on your CUBEs, the dial-peers to MS will go down.
Apparently there will be a test on the Sept 19th 2023.
MS has a test SIP endpoint to connect with SIP OPTIONS to test in advance.

The following text is from a Microsoft info mail:

"On September 19th (starting 4 PM UTC Microsoft will perform a 24h test where all Microsoft SIP endpoints will be switched over to use certificates where the certificate chain will roll up to "DigiCert Global Root G2" Certificate Authority (CA)."

"If you'd like to test and confirm your SBCs certificate configuration prior to the change, Microsoft has prepared a testing endpoint that can be used to verify that BC appliances trust certificates issued from the new root CA (DigiCert Global Root G2). This endpoint should be used only for SIP OPTIONS ping messages and not for voice traffic. If your BC can establish a TLS connection to this endpoint, then your connectivity to Teams services should not be affected by the change.

Test endpoint FQDN: sip.mspki.pstnhub.microsoft.com"

!!! Baltimore CA must be retained, do NOT replace it! (just add, don't delete)
!!! Please check the facts for your environment yourself.

Labels:
3 Replies 3

Jared Cox
Level 1
Level 1

‎10-04-2023 10:32 AM

I had this problem and got an error in teams with SIP response code 504 and Microsoft response code 569006 (Server Time-out - SBC presented an unknown certificate). Added new certificate from the MS article listed above and issue has been resolved.

Thank you Martin!

maqsood ahmed
Level 1
Level 1

‎10-26-2023 05:07 AM

For the  Folk who needs more info

Copy the  certificate from the below url .  the filename are stated below:

https://learn.microsoft.com/en-us/purview/encryption-office-365-tls-certificates-changes?view=o365-worldwide

DigiCert Global Root G2

Microsoft Azure TLS Issuing CA 01

convert the  CRT to PEM format and open it in notepad   (https://www.sslshopper.com/ssl-converter.html)

the CLI  activity in cisco  cube ISR router is as below,

no crypto pki trustpoint RootCA
no crypto pki trustpoint InterCA

CSBC(config)#crypto pki trustpoint RootCA
CSBC(ca-trustpoint)#enrollment terminal pem
CSBC(ca-trustpoint)#revocation-check none
CSBC(config)#crypto pki authenticate RootCA

copy the  PEM format  root cert here


CSBC(config)#crypto pki trustpoint InterCA
CSBC(ca-trustpoint)# enrollment terminal
CSBC(ca-trustpoint)# revocation-check none
CSBC(config)#crypto pki authenticate InterCA

copy the  PEM format  root cert here

check the dial-peer for active status and  check the  inbound / outbound calls.

check the microsoft direct  routing  TLS and SIP OPTIONS Status

maqsoodahmed_0-1698321976896.png

 

 

 

 

 

 

 

b.winter
VIP
VIP
In response to maqsood ahmed

‎10-26-2023 05:08 AM

I wouldn't delete the old trustpoints for the baltimore certs.
Just add the new certificates in new / additional trustpoints.

Customers Also Viewed These Support Documents