09-12-2023 12:25 AM - edited 09-13-2023 01:39 AM
Just a heads-up.
Microsoft moves away from Baltimore Certificate to DigiCert Global Root G2.
https://learn.microsoft.com/en-us/purview/encryption-office-365-tls-certificates-changes?view=o365-worldwide
If you do not have this certificate on your CUBEs, the dial-peers to MS will go down.
Apparently there will be a test on the Sept 19th 2023.
MS has a test SIP endpoint to connect with SIP OPTIONS to test in advance.
The following text is from a Microsoft info mail:
"On September 19th (starting 4 PM UTC Microsoft will perform a 24h test where all Microsoft SIP endpoints will be switched over to use certificates where the certificate chain will roll up to "DigiCert Global Root G2" Certificate Authority (CA)."
"If you'd like to test and confirm your SBCs certificate configuration prior to the change, Microsoft has prepared a testing endpoint that can be used to verify that BC appliances trust certificates issued from the new root CA (DigiCert Global Root G2). This endpoint should be used only for SIP OPTIONS ping messages and not for voice traffic. If your BC can establish a TLS connection to this endpoint, then your connectivity to Teams services should not be affected by the change.
Test endpoint FQDN: sip.mspki.pstnhub.microsoft.com"
!!! Baltimore CA must be retained, do NOT replace it! (just add, don't delete)
!!! Please check the facts for your environment yourself.
10-04-2023 10:32 AM
I had this problem and got an error in teams with SIP response code 504 and Microsoft response code 569006 (Server Time-out - SBC presented an unknown certificate). Added new certificate from the MS article listed above and issue has been resolved.
Thank you Martin!
10-26-2023 05:07 AM
For the Folk who needs more info
Copy the certificate from the below url . the filename are stated below:
Microsoft Azure TLS Issuing CA 01
convert the CRT to PEM format and open it in notepad (https://www.sslshopper.com/ssl-converter.html)
the CLI activity in cisco cube ISR router is as below,
no crypto pki trustpoint RootCA
no crypto pki trustpoint InterCA
CSBC(config)#crypto pki trustpoint RootCA
CSBC(ca-trustpoint)#enrollment terminal pem
CSBC(ca-trustpoint)#revocation-check none
CSBC(config)#crypto pki authenticate RootCA
copy the PEM format root cert here
CSBC(config)#crypto pki trustpoint InterCA
CSBC(ca-trustpoint)# enrollment terminal
CSBC(ca-trustpoint)# revocation-check none
CSBC(config)#crypto pki authenticate InterCA
copy the PEM format root cert here
check the dial-peer for active status and check the inbound / outbound calls.
check the microsoft direct routing TLS and SIP OPTIONS Status
10-26-2023 05:08 AM
I wouldn't delete the old trustpoints for the baltimore certs.
Just add the new certificates in new / additional trustpoints.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide