Certificate Requirements for Direct Routing

Certificates Requirements


Baltimore Trusted Public Root Certificate


The Baltimore Trusted Root must be installed on your SBC, it can be downloaded in either PEM or CRT format from:

Public Certificate Requirements


Each SBC deployed must have a public certificate from a supported Public CA, There are 3 options to create a certificates.

Please Note: When generating the CSR, The private key size should be at least 2048.

Please Note: Do not try to use onmicrosoft.com domain for certificates, it will not work.

Option 1 - Single SBC per certificate

A Single certificate with a single SBC FQDN. The SBC FQDN must be in the subject, common name or the Subject Alternate name.

SN SAN
sbc.directrouting.guide  

Option 2 - Multiple SBC per certificate

A Single certificate with a multiple SBC FQDN’s. The SBC FQDN must be in the subject, common name or the Subject Alternate name.

SN SAN
sbc.directrouting.guide sbc2.directrouting.guide, sbc3.directrouting.guide, sbc7.directrouting.guide, sbc8.directrouting.guide

Option 3 - Wildcard in Subject Alternative Name (SAN)

A certificate with a Wildcard in the Subject Alternative Name (SAN)

SN SAN
sbc.directrouting.guide *.directrouting.guide

Option 4 - Wildcard in CommonName (CN)

A certificate with a Wildcard in the Common Name (CN)

CommonName
*.directrouting.guide

Supported Public CA


Microsoft currently supports the following Public CA’s only. If you are purchasing a certificate please ensure it is signed by one of these root CA’s.

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Deutsche Telekom
  • DigiCert Global Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

The following Public CA’s have been known to work, but are not currently on the list of supported CA’s

  • Let’s Encrypt

    \