Certificate Requirements for Direct Routing

Public Baltimore Trusted Root Certificate


On the SBC The Baltimore Trusted Root must be installed on your SBC, it can me downloaded in either PEM or CRT format from:

SBC Public Certificate Requirements


Each SBC deployed must have a public certificate from a supported Public CA, There are 3 options to create a certificates.

Please Note: When generating the CSR, The private key size should be at least 2048.

Please Note: Do not try to use onmicrosoft.com domain for certificates, it will not work.

Option 1 - Single SBC per certificate

A Single certificate with a single SBC FQDN. The SBC FQDN must be in the subject, common name or the Subject Alternate name.

SN SAN
{Public FQDN of SBC }  
Option 2 - Multiple SBC per certificate

A Single certificate with a multiple SBC FQDN’s. The SBC FQDN must be in the subject, common name or the Subject Alternate name.

SN SAN
{Public FQDN of SBC } {Public FQDN of Additional SBC },{Public FQDN of Additional SBC }
Option 3 - Wildcard

A certificate with a Wildcard in the common name or Subject Alternative Name (SAN)

SN SAN
{Public FQDN of SBC } { wildcard }
CommonName
{ wildcard }

Note: In the above examples shanehoey.example is the example domain only, you should replace this with your public domain.

Supported Public CA


Microsoft currently supports the following Public CA’s only. If you are purchasing a certificate please ensure it is signed by one of these root CA’s.

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Deutsche Telekom
  • DigiCert Global Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis