Skip to main content

Teams Direct Routing TLS and Certificates Pitfalls for SIP Trunks

By November 7, 2019August 5th, 2022Blog, Microsoft, Microsoft Teams, Networking
Teams Direct Routing TLS

Setting up Teams Direct Routing has a couple difficult portions, especially when trying to get the TLS SIP trunk up and responding. After working to get Teams Direct Routing up, here are some of the pitfalls I had to crawl out of.

First, we needed to figure out which Certificate Authorities were allowed and that Microsoft Teams would support. My google-fu must have been failing, because it took me forever to find the list of Microsoft trusted Certificate Authorities.  But since I found it, I will link to it here.

Here is the list of root CA Microsoft Allows:

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Comodo Secure Root CA
  • Deutsche Telekom
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

Which of course was one of my problems.  As I was working in a lab and trying to use the free CA: https://letsencrypt.org/.  Let’s Encrypt is a great free public certificate authority, but the only issue is their certificates are only for a really short time period. This makes them great for Labs and proof of concepts, but not perfect for a production use–unless you like swapping certificates every couple months or having outages.

The other major ‘gotcha’ I found is you have to import the certificate for the Microsoft root certificate.  This was also problematic for me to find, but eventually I found it here.

Once I used a trusted certificate authority and loaded the Omniroot CA certificate, my TLS SIP trunk came up. I could then see the SIP options being passed from one gateway to the other.

Jason Howe, Senior Network Engineer

Leave a Reply