Baltimore Trusted Public Root Certificate
The Baltimore Trusted Root must be installed on your SBC, it can be downloaded in either PEM or CRT format from:
Public Certificate Requirements
Each SBC deployed must have a public certificate from a supported Public CA, There are 3 options to create a certificates.
Please Note: When generating the CSR, The private key size should be at least 2048.
Please Note: Do not try to use onmicrosoft.com domain for certificates, it will not work.
Option 1 - Single SBC per certificate
A Single certificate with a single SBC FQDN. The SBC FQDN must be in the subject, common name or the Subject Alternate name.
Option 2 - Multiple SBC per certificate
A Single certificate with a multiple SBC FQDN’s. The SBC FQDN must be in the subject, common name or the Subject Alternate name.
|sbc.directrouting.guide||sbc2.directrouting.guide, sbc3.directrouting.guide, sbc7.directrouting.guide, sbc8.directrouting.guide|
Option 3 - Wildcard in Subject Alternative Name (SAN)
A certificate with a Wildcard in the Subject Alternative Name (SAN)
Option 4 - Wildcard in CommonName (CN)
A certificate with a Wildcard in the Common Name (CN)
Supported Public CA
Microsoft currently supports the following Public CA’s only. If you are purchasing a certificate please ensure it is signed by one of these root CA’s.
- AddTrust External CA Root
- Baltimore CyberTrust Root
- Class 3 Public Primary Certification Authority
- Deutsche Telekom
- DigiCert Global Root CA
- Go Daddy
- Verisign, Inc.
- Symantec Enterprise Mobile Root for Microsoft
- Thawte Timestamping CA
- T-Systems International GmbH (Deutsche Telekom)
The following Public CA’s have been known to work, but are not currently on the list of supported CA’s
- Let’s Encrypt
Direct Routing Explained
The Direct Routing Cheat Sheet is a condensed overview to planning and deployment of Direct Routing in Microsoft Teams.