Teams Direct Routing TLS and Certificates Pitfalls for SIP Trunks

By November 7, 2019September 23rd, 2020Blog, Microsoft, Microsoft Teams, Networking
Teams Direct Routing TLS

Setting up Teams Direct Routing has a couple difficult portions, especially when trying to get the TLS SIP trunk up and responding. After working to get Teams Direct Routing up, here are some of the pitfalls I had to crawl out of.

First, we needed to figure out which Certificate Authorities were allowed and that Microsoft Teams would support. My google-fu must have been failing, because it took me forever to find the list of Microsoft trusted Certificate Authorities.  But since I found it, I will link to it here.

Here is the list of root CA Microsoft Allows:

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Comodo Secure Root CA
  • Deutsche Telekom
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

Which of course was one of my problems.  As I was working in a lab and trying to use the free CA:  Let’s Encrypt is a great free public certificate authority, but the only issue is their certificates are only for a really short time period. This makes them great for Labs and proof of concepts, but not perfect for a production use–unless you like swapping certificates every couple months or having outages.

The other major ‘gotcha’ I found is you have to import the certificate for the Microsoft root certificate.  This was also problematic for me to find, but eventually I found it here.

Once I used a trusted certificate authority and loaded the Omniroot CA certificate, my TLS SIP trunk came up. I could then see the SIP options being passed from one gateway to the other.

Jason Howe, Senior Network Engineer

Leave a Reply