As announced here, Microsoft will soon be updating the root certificates that are (as their name suggests) foundational when it comes to protecting your Microsoft 365 traffic. For your day to day devices that you use to access Microsoft 365 services, this change should have no impact: your devices should already trust the new root certificate, and mechanisms will be in place that ensure trusted certificates are automatically updated.

However, there are some scenarios where trusted root certificates are manually configured, and as such will need to be updated. One such use case is Microsoft Teams Direct Routing. Session Border Controllers (SBCs) that support direct routing typically require manual management of trusted root certificates, and will need to have the new trusted root certs added before the change. One of my older blog posts outlines how certificates are managed on Ribbon SBCs.

Up until this change, the Baltimore CyberTrust Root certificate was installed on SBCs to support TLS authentication. New TLS certificates used by Microsoft 365 services will now chain up to one of the following Root CAs:

Common Name of the CAThumbprint (SHA1)
DigiCert Global Root G2df3c24f9bfd666761b268073fe06d1cc8d4f82a4
Microsoft RSA Root Certificate Authority 201773a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft ECC Root Certificate Authority 2017999a64c37ff47d9fab95f14769891460eec4c3c5

Time wise, it looks like that this change will rollout out between now and October 2022. Now is a good time to check your SBCs and make sure these have also been added to avoid any unnecessary downtime.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.