Professional Documents
Culture Documents
Teams CA Cert Replacement
Teams CA Cert Replacement
COMMUNICATIONS
Disclaimer
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be rel ied
upon in making purchasing decisions. The development, release, and timing of any features or functionality described for
Oracle’s products remains at the sole discretion of Oracle.
2
Table of Contents
1 INTENDED AUDIENCE ......................................................................................................................................4
2 DOCUMENT OVERVIEW...................................................................................................................................4
3 RECOMMENDATIONS .......................................................................................................................................4
4 CONFIGURATION ADJUSTMENTS GUI .........................................................................................................5
4.1 ADDING A CERTIFICATE RECORD ............................................................................................................................................. 5
4.1.1 DigiCert Global Root G2 .................................................................................................................................................. 5
4.1.2 Save and activate the SBC Configuration ............................................................................................................... 6
4.1.3 Import DigiCert Global Root G2 Certificate .......................................................................................................... 7
4.2 TLS PROFILE .............................................................................................................................................................................. 11
4.3 ADDING MICROSOFT TEAMS TEST ENDPOINT................................................................................................................... 13
4.4 VERIFY CONNECTIVITY............................................................................................................................................................. 15
4.5 REMOVING TEST AGENT .......................................................................................................................................................... 16
4.6 REMOVING BALTIMORE ROOT CA CERTIFICATE .............................................................................................................. 17
4.6.1 Remove from TLS Profile ............................................................................................................................................ 17
4.6.2 Deleting Certificate Record ........................................................................................................................................ 18
5 CONFIGURATION ADJUSTMENTS ACLI..................................................................................................... 19
5.1 ADDING A CERTIFICATE RECORD .......................................................................................................................................... 20
5.1.1 DigiCert Global Root G2 ............................................................................................................................................... 20
5.1.2 Save and Activate SBC Configuration ................................................................................................................... 22
5.1.3 Import DigiCert Global Root G2 Certificate ....................................................................................................... 23
5.2 TLS PROFILE .............................................................................................................................................................................. 24
5.3 ADDING MICROSOFT TEAMS TEST ENDPOINT................................................................................................................... 26
5.4 VERIFY CONNECTIVITY............................................................................................................................................................. 27
5.5 REMOVING TEST AGENT .......................................................................................................................................................... 28
5.6 REMOVING BALTIMORE ROOT CA CERTIFICATE .............................................................................................................. 29
5.6.1 Remove from TLS Profile ............................................................................................................................................ 29
5.6.2 Deleting Certificate Record ........................................................................................................................................ 30
6 VERIFY TEAMS SESSION AGENTS .............................................................................................................. 31
3|Page
1 Intended Audience
This document is intended for IT professionals and administrators of the Oracle Communication Session Border
Controller. This document is specific to existing deployments of the Oracle SBC with Microsoft Teams Direct
Routing.
Note: To zoom in on screenshots of Web GUI configuration examples, press Ctrl and +.
2 Document Overview
Microsoft 365 is updating services powering messaging, meetings, telephony, voice, and video to use TLS
certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the
current Root CA will expire in May 2025.
More information about these changes can be found at the following link:
To secure the connection between the Oracle SBC and Microsoft Teams Direct Routing, you must explicitly
specify a list of acceptable CA’s, a practice referred to as certificate pinning. This document provides step by
step instructions to add the new Root CA certificate to the Oracle SBC’s configuration, and how to apply it to
authenticate with Microsoft
If the configuration adds and changes outlined below in this guide are not performed by January 2023, there
may be an impact to your Microsoft Teams Direct Routing service.
These changes apply to both Oracle enterprise and service provider Session Border Controller product type.
If you have any questions, please reach out to your Oracle Account Team.
3 Recommendations
1. Oracle recommends all configuration changes be performed during a maintenance window or low traffic
period.
2. Prior to making any changes, create a backup of your SBC configuration and store a copy off box.
3. Download the DigiCert Global Root G2 and have it accessible.
4. If you have an HA pair, you only need to perform these changes on the current Active SBC. Certificate
records are part of the SBC’s configuration file and will be shared with the standby SBC when the
configuration is saved and activated.
5. Microsoft has created a test endpoint, sip.mspki.pstnhub.microsoft.com. This will be added to the
Oracle SBC’s configuration to ensure connectivity using the new root CA certificate.
6. Do not remove the existing Baltimore Root CA that is currently in use until Microsoft has officially
announced it is no longer in production use. Currently, that is not expected before January 2023, but is
subject to change.
4|Page
4 Configuration Adjustments GUI
This chapter outlines how to perform the required configuration changes using the Oracle SBC GUI.
If your Oracle SBC is running as a service provider (non-Enterprise Session Border Controller product type)
with no GUI access, click here for configuration adjustments using the SBC ACLI.
Note: All GUI screenshots have been collected from an Oracle SBC running release nnSCZ900. The GUI in
nnSCZ830 has a different appearance.
“Certificate-records” are configuration elements on Oracle SBC which capture information for a TLS certificate
such as common-name, key-size, key-usage etc.
This section walks you through how to configure a new certificate record, and import the necessary certificate
into the SBC’s configuration.
The DNS name of the Microsoft Teams Direct Routing interface is sip.pstnhub.microsoft.com. Microsoft
presents a certificate to the SBC which was previously signed by Baltimore CyberTrust Root. Microsoft is
replacing Baltimore Cyber Trust Root with DigiCert Global Root G2. To trust this certificate, your SBC must
have the DigiCert Global Root G2 certificate listed as a trusted ca certificate.
5|Page
Use the following example to configure a new certificate record:
Once you have configured a new record for the DigiCert Global Root G2 certificate, you will need to save and
activate your configuration.
6|Page
4.1.3 Import DigiCert Global Root G2 Certificate
Next, we need to import the certificate to the new certificate record. While on the Certificate Record page in the
SBC GUI, select the record just created, and click the import icon at the top:
On the Import Certificate screen, under format select “try-all” from the drop down.
Notice there are two options under Import Method, File and Paste.
7|Page
4.1.3.1 File Import
Click Upload, navigate to the local directory where you stored the DigiCert Global Root G2 certificate file you
downloaded previously, and select it:
8|Page
Next, click Import at the bottom,
Note: You should see a notification appear at the top of the screen stating the certificate was imported
successfully.
9|Page
In the text box, paste the entire output from the file “Digicert Global Root G2” certificate downloaded previously.
10 | P a g e
Note: You should see a notification appear at the top of the screen stating the certificate was imported
successfully.
Next, we’ll add the new “Digicert Global Root G2” certificate to the TLS Profile trusted CA certificate list.
TLS profile configuration on the SBC allows for specific certificates to be assigned.
Check the box next to the TLS profile being used to secure the connection with Microsoft Teams and click the
pencil icon at the top to edit.
11 | P a g e
On the Modify TLS Profile page, click inside the box next to “Trusted CA Certificates” to bring up a list of
available certificates:
Select the certificate name that corresponds to the new DigiCert Global Root G2 cert. As you can see below,
the new Root CA certificate is in addition to the existing Baltimore Root CA certificate that is currently in use.
Do not remove the Baltimore Root CA certificate from the TLS profile or your configuration until Microsoft
officially announces it is no longer in production use. This will cause a service disruption.
12 | P a g e
Click OK at the bottom of the screen:
This concludes the steps needed to add a new trusted CA certificate to the Oracle SBC’s trust store. Next, we’ll
walk through how to add the Microsoft Teams test endpoint to the configuration.
Microsoft has created a test endpoint with a certificate issued from the new Root CA certificate. This enables
customers to test connectivity using the new certificates prior to going into production. The hostname of this
agent /endpoint is:
sip.mspki.pstnhub.microsoft.com
13 | P a g e
Please note, you cannot send production traffic to this session agent/endpoint. Its main function is to validate
the TLS handshake between the SBC and Direct Routing Interface using the new certificates. This
agent/endpoint will only reply to SIP Options messages generated by the Oracle SBC once the TCP/TLS
handshake is successful.
Use the information in the table below to configure a new Session agent for testing:
Hostname sip.mspki.pstnhub.microsoft.com
Port 5061
Transport Method StaticTLS
Realm ID Teams (Name of your Teams realm)
Ping Method OPTIONS
Ping Interval 30
14 | P a g e
Click OK at the bottom.
Now that we have configured and imported Microsoft’s new root CA certificate, added it to the trust list of the
TLS profile, and configured a new session agent for testing, we can now verify the new session agent is in
service and receiving responses to SIP OPIONS messages.
A quick way to check the connection to the agent is by using the Wigits tab at the top of the GUI home page:
15 | P a g e
Just below the hostname of the test agent, sip.mspki.pstnhub.microsoft.com, you should see the letter I,
indicating the agent is in service. The session agent can only be in service if the TCP/TLS connection to
Microsoft Teams is successful, and the SBC has received a response to SIP OPTIONS.
Once you have verified the connection to Teams using the new certificates, the Microsoft test endpoint/agent
can be removed from the SBC’s configuration.
Check the box next to the session agent you want to delete, and click the delete icon on the top right hand side,
just above the list of agents:
16 | P a g e
Save and activate the configuration.
Do not perform the steps outlined in this section until Microsoft confirms the Baltimore Root CA certificate is no
longer in production use. Prematurely removing the Baltimore Root CA certificate will cause a service
disruption.
Once you have verified the Baltimore Root CA certificate is no longer required to secure the connection
between the Oracle SBC and Microsoft Teams Direct Routing Interface, you can remove it from your SBC’s
configuration.
4.6.1 Remove from TLS Profile
The first step in removing the Baltimore Root CA cert from your configuration is to remove it from the TLS
Profile.
Like the step above regarding adding a new certificate to the TLS Profile, we’ll be removing it.
Check the box next to the TLS profile being used to secure the connection with Microsoft Teams and click the
pencil icon at the top to edit.
17 | P a g e
On the “Modify TLS Profile” page, in the box next to Trusted CA Certificates, click the X located to the
immediate right of the certificate you want to remove. In this case, the name of the cert we are deleting from
the profile is “BaltimoreRoot”:
Now that we’ve removed the Baltimore Root CA certificate from the TLS profile, we can delete it from the
configuration.
Only perform this step if you have verified this certificate is not being used in any other TLS profiles to secure
connections to your Oracle SBC.
Select the certificate record to be removed and click the delete icon at the top of the page.
18 | P a g e
(Only use the delete icon on the right side of the screen as shown below)
This chapter outlines how to perform the required configuration changes using the Oracle SBC CLI.
If your Oracle SBC is running as an Enterprise model, (Enterprise Session Border Controller product type) with
GUI access, click here for configuration adjustments using the SBC GUI.
19 | P a g e
5.1 Adding a Certificate Record
Note: All screenshots have been collected from an Oracle SBC running release nnSCZ900.
“Certificate-records” are configuration elements on Oracle SBC which capture information for a TLS certificate
such as common-name, key-size, key-usage etc.
This section walks you through how to configure a new certificate record, and import the necessary certificate
into the SBC’s configuration.
The DNS name of the Microsoft Teams Direct Routing interface is sip.pstnhub.microsoft.com. Microsoft
presents a certificate to the SBC which was previously signed by Baltimore CyberTrust Root. Microsoft is
replacing Baltimore Cyber Trust Root with DigiCert Global Root G2. To trust this certificate, your SBC must
have the DigiCert Global Root G2 certificate listed as a trusted ca certificate.
The fastest way to create a new certificate record is with the Oracle SBC’s CLI option “paste config”. You can
copy and paste the information below into your configuration quickly using this option. Please see the example
below:
20 | P a g e
NN3950-101# config t
NN3950-101(configure)# paste-config
Paste configuration onto console. Enter <CTRL-D> to stop.
certificate-record
name DigiCertGlobalRootG2
country US
state MA
locality Burlington
organization DigiCert
unit www.digicert.com
common-name DigiCert Global Root G2
key-size 2048
alternate-name
trusted enabled
key-usage-list digitalSignature
keyEncipherment
extended-key-usage-list serverAuth
key-algor rsa
digest-algor sha256
ecdsa-key-size p256
-----------------
(0 errors)
Do you want to accept this configuration [y/n]?: y
(After pasting the information in, as noted in the example above, press CTRL D to stop)
Next, back out of configuration mode by typing exit at the prompt, then save and activate your configuration:
If you prefer to configure the new certificate record manually through the Oracle SBC’s ACLI, please do the
following
The information below can be used to configure the new certificate record. All other information can remain at
default values:
Once you have configured these fields, type “done” at the prompt
21 | P a g e
Next, type “quit” at the prompt to exit config mode.
22 | P a g e
5.1.3 Import DigiCert Global Root G2 Certificate
Next, we need to import the certificate to the new certificate record. There are two options to accomplish this,
either by importing the file to the certificate record, or by pasting the certificate into to the SBC’s configuration.
First, the DigiCert Global Root G2 certificate downloaded previously needs to be placed in the /opt directory of
the SBC.
SFTP to the SBC’s management IP and transfer a copy of the file to /opt.
Next, run the following command via the Oracle SBC’s ACLI:
Import-certificate try-all <Certificate Record Name> <file name of certificate placed in /opt directory>
Tip: to get the exact file name, you can run the command “show directory /opt” prior to running the import
certificate command. The certificate must be in PEM format.
The second option is to paste the certificate into the Oracle SBC’s configuration.
First, open the DigiCert Global Root G2 certificate in the text editor of your choice.
Copy the entire contents of the certificate, then run the following command in the SBC’s ACLI:
23 | P a g e
NN3950-101# import-certificate try-all DigiCertGlobalRootG2
IMPORTANT:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----
NN3950-101#
(As noted in the above example, you must terminate the certificate with a semi-colon “;”)
Next, we’ll add the new “Digicert Global Root G2” certificate to the TLS Profile trusted CA certificate list.
TLS profile configuration on the SBC allows for specific certificates to be assigned. In this step, add the new
certificate record under trusted CA certificates in the TLS profile you are using to secure the connection
between the SBC and Microsoft Teams.
24 | P a g e
At this point, the Baltimore Root CA certificate is not being replaced. Just add the new certificate under Trusted
CA certificate in the TLS profile. Since there is more than one trusted certificate being added to the trust list of
this TLS profile, when running the command, the text must be surrounded by double quotes with a space in
between each name as shown above.
Do not remove the Baltimore Root CA certificate from the TLS profile or your configuration until Microsoft
confirms it is no longer in production use. This will cause a service disruption.
25 | P a g e
Type quit at the prompt to exit config mode, and
This concludes the steps needed to add a new trusted CA certificate to the Oracle SBC’s trust store. Next, we’ll
walk through how to add the Microsoft Teams test endpoint to the configuration.
Microsoft has created a test endpoint with a certificate issued from the new Root CA certificate. This enables
customers to test connectivity using the new certificates prior to going into production. The hostname of this
agent /endpoint is:
sip.mspki.pstnhub.microsoft.com
Please note, you cannot send production traffic to this session agent/endpoint. Its main function is to validate
the TLS handshake between the SBC and Direct Routing Interface using the new certificates. This
agent/endpoint will only reply to SIP Options messages generated by the Oracle SBC once the TCP/TLS
handshake is successful.
Hostname sip.mspki.pstnhub.microsoft.com
Port 5061
Transport Method StaticTLS
Realm ID Teams (Name of your Teams realm)
Ping Method OPTIONS
Ping Interval 30
26 | P a g e
Type quit at the prompt to exit config mode, and
Now that we have configured and imported Microsoft’s new root CA certificate, added it to the trust list of the
TLS profile, and configured a new session agent for testing, we can now verify the new session agent is in
service and receiving responses to SIP OPIONS messages.
The quickest way is to verify the session agent just configured is in service:
27 | P a g e
Just below the hostname of the test agent, sip.mspki.pstnhub.microsoft.com, you should see the letter I,
indicating the agent is in service. The session agent can only be in service if the TCP/TLS connection to
Microsoft Teams is successful, and the SBC has received a response to SIP OPTIONS.
Once you have verified the connection to Teams using the new certificates is successful, the Microsoft test
endpoint/agent can be removed from the SBC’s configuration.
To remove the agent from your configuration, we’ll use the “No” command at the prompt, and enter the
corresponding number to the agent we want to remove:
Type quit at the prompt and save and activate your configuration.
Next, we’ll go through the steps of removing the Baltimore Root CA certificate from the config.
28 | P a g e
5.6 Removing Baltimore Root CA Certificate
Do not perform the steps outlined in this section until Microsoft confirms the Baltimore Root CA certificate is no
longer in production use. Prematurely removing the Baltimore Root CA certificate will cause a service disruption
Once you have verified the Baltimore Root CA certificate is no longer required to secure the connection
between the Oracle SBC and Microsoft Teams Direct Routing Interface, you can remove it from your SBC’s
configuration.
The first step in removing the Baltimore Root CA cert from your configuration is to remove it from the TLS
Profile.
Like the step above regarding adding a new certificate to the TLS Profile, we’ll be removing it.
Select the tls profile you are using for Microsoft Teams. Simply, do not add the Baltimore Root CA certificate to
the new trusted ca list in the tls profile to remove it. Please see the example below:
29 | P a g e
Type quit at the prompt and save and activate your configuration.
Now that we’ve removed the Baltimore Root CA certificate from the TLS profile, we can delete it from the
configuration.
Only perform this step if you have verified this certificate is not being used in any other TLS profiles to secure
connections with your Oracle SBC.
To delete a certificate record, we’ll use the “No” command under certificate records and then select the
corresponding number to the Baltimore Root Cert record to remove it from the configuration.
This concludes the steps necessary to replace the current Balimore CyberTrust Root CA certificate with the
DigiCert Global Root G2 certificate in the Oracle SBC.
If you have any questions regarding this change, please contact your Oracle Account Team members for
assistance.
30 | P a g e
6 Verify Teams Session Agents
Once this procedure is complete, and the DigiCert Global Root G2 certificate is in use, you can quickly verify
connectivity with Microsoft Teams session agents by running the command
CONNE CT WI TH US
blogs.oracle.com/oracle
Copyright © 2021, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject
to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied
facebook.com/oracle in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this
document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any
twitter.com/oracle form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
oracle.com
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of
Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0615
31 | P a g e