Microsoft Teams - Direct Routing Root Certificates Update
On May 12, 2025, the current root certificate “Baltimore CyberTrust Root” expires. This certificate now handles the encryption of Microsoft Teams but also Azure Communication Services and even still the old Skype for Business Online components.
The transition to the new root certificates has started by Microsoft in January 2022 and will be completed this month, October 2022. In case you are using Direct Routing with your Microsoft 365 tenant you probaly have uploaded the Baltimore CyberTrust Root certificate in to your SBC.
The current TLS certificate now uses:
| Common Name of the CA | Thumbprint (SHA1) |
|---|---|
| Baltimore CyberTrust Root | d4de20d05e66fc53fe1a50882c78db2852cae474 |
The new TLS certificated used by Microsoft 365 services will chain up with one of the following Root CA’s.
| Common Name of the CA | Thumbprint (SHA1) |
|---|---|
| DigiCert Global Root G2 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| Microsoft RSA Root Certificate Authority 2017 | 73a5e64a3bff8316ff0edccc618a906e4eae4d74 |
| Microsoft ECC Root Certificate Authority 2017 | 999a64c37ff47d9fab95f14769891460eec4c3c5 |
Because Microsoft is only providing the CRT files on their website, i’ve converted these to PEM and CER (Always check the thumbprint (SHA1) with the above table before using).
You can download the certificates over here.
The baltimore CyberTrust will still work till May 12, 2025 but make sure you will add these “new” root certificates to your SBC.