Search
Close this search box.

AudioCodes SBC – Add the DigiCert Global Root G2

Microsoft just released another message to tenant administrators that we must add the DigiCert Global Root G2 certificate if we use MTLS in our Direct Routing SBC configuration. This was announced back in 2022, saying that the Baltimore CyberTrust Root CA certificate was to be replaced.

Up until now, there have been no interruptions in the connectivity if SBCs had the Baltimore CyberTrust Root CA certificate only, but this will change, according to Microsoft,  if the DigiCert Global Root G2 is not added before August 2023.

I recently had a few panic calls from customers who wanted help adding this certificate. I don’t mind adding a few here and there, but when customers have 40+ SBCs, it starts to be hard work. Therefore, I decided to create this lovely guide to help whoever stands in front of this task.

Because Microsoft’s trusted root certificate is set to expire in May 2025, the company announced a change in the root chain that will support Microsoft 365 voice, messaging, etc going forward. The new root certificate chain to be used will be based on DigiCert Global Root G2 which is a widely trusted public CA.

Microsoft announcement: https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption-office-365-tls-certificates-changes?view=o365-worldwide

So we must add this certificate to the trusted root folder and delete the Baltimore one, right?

Wrong. And this is where the panic calls started coming in. Some companies added the new certificate and deleted the Baltimore certificate, which resulted in services no longer working.

Your installation will live just fine with the Baltimore certificate as the only one. But only for a short time. So, if you still haven’t added the new DigiCert Global Root G2 certificate, now is the time to do it. And leave the Baltimore certificate in the store, please. 😊

Log into your SBC and browse to TLS context. That is, Setup –> IP Network –> Security and TLS Context.

Pick the TLS context you use for your MS Teams SIP Interface. Click on the index line.

Now click on “Trusted Root Certificates” in the bottom right.

Click on the button “Import”.

Browse to your certificate. Click “Open”.

Wait for the certificate to be imported successfully.

Confirm that the certificate is now located in the trusted root certificates store.

Bingo. You are home free.

If you, like many others, are a bit annoyed that the format needed is PEM, and tired of working with converter tools, this is the link for you:

https://www.digicert.com/kb/digicert-root-certificates.htm

Simply browse to the certificate shown here, and download in PEM format.

That’s it, the certificate is added, and you should be OK for the next 15 years.

7 thoughts on “AudioCodes SBC – Add the DigiCert Global Root G2”

  1. Nice guide thanks. Did you ever have to add some of the intermediate certificates? Only the root is added in the guide, but there’s now 4 possible intermediate certificates that could be used in the future. What is your advice for this?

    Reply
    • Hey Alex,

      Glad you liked it; I hope it helped.

      Only the root certificate is needed to create the MTLS trust between the SBC and Microsoft. There is no need to import the whole chain to the certificate store. If you decided to buy a public certificate based on that root CA, you would need to install the intermediate certificates, as these would have been used to create your server certificate (SBC certificate if it was to be used on an SBC).

      Let me know if you have any other questions.

      BR,

      Thomas

      Reply
      • Perfect, thanks for a great response. Certificates are a tricky thing to understand sometimes, glad I reached out to you. I have your blog bookmarked and will return 🙂

        Reply

Leave a Comment