As announced here, Microsoft will soon be updating the root certificates that are (as their name suggests) foundational when it comes to protecting your Microsoft 365 traffic. For your day to day devices that you use to access Microsoft 365 services, this change should have no impact: your devices should already trust the new root certificate, and mechanisms will be in place that ensure trusted certificates are automatically updated.
However, there are some scenarios where trusted root certificates are manually configured, and as such will need to be updated. One such use case is Microsoft Teams Direct Routing. Session Border Controllers (SBCs) that support direct routing typically require manual management of trusted root certificates, and will need to have the new trusted root certs added before the change. One of my older blog posts outlines how certificates are managed on Ribbon SBCs.
Up until this change, the Baltimore CyberTrust Root certificate was installed on SBCs to support TLS authentication. New TLS certificates used by Microsoft 365 services will now chain up to one of the following Root CAs:
|Common Name of the CA||Thumbprint (SHA1)|
|DigiCert Global Root G2||df3c24f9bfd666761b268073fe06d1cc8d4f82a4|
|Microsoft RSA Root Certificate Authority 2017||73a5e64a3bff8316ff0edccc618a906e4eae4d74|
|Microsoft ECC Root Certificate Authority 2017||999a64c37ff47d9fab95f14769891460eec4c3c5|
Time wise, it looks like that this change will rollout out between now and October 2022. Now is a good time to check your SBCs and make sure these have also been added to avoid any unnecessary downtime.