Did you already read and know? Important certificate changes for June 2026 are on the horizon for that could impact specific Microsoft Teams Calling deployments with Session Border Controllers (SBCs). In this post I summarize what you need to know based on Microsoft’s Teams Direct Routing update for December 2025.
If you are a Teams Direct Routing administrator or an Operator Connect provider, it’s essential to stay ahead of these updates. They affect the way TLS connectivity and mutual authentication are handled, and ensuring your SBCs are properly configured will help avoid service disruptions after the change takes effect in June 2026.
What’s the reason for the certificate change upcoming? Background Info?
Microsoft Teams relies on mutual TLS (mTLS) for secure connectivity between SIP endpoints and customer or partner SBCs. This requires client certificates with the Client Authentication Extended Key Usage (EKU) property.
In February 2025, Google updated its Chrome Root Program Policy (v1.6), deprecating the use of Client Authentication EKU in TLS server certificates trusted by Chrome. Starting June 2026, only certificates with the Server Authentication EKU will be recognized by major browsers such as Chrome and Mozilla.
While some public Certificate Authorities (CAs) may continue issuing certificates with Client Authentication EKU, these may not be trusted by browsers but will still be accepted by operating systems like Windows, macOS, and Linux. Microsoft Teams SIP interface certificates will continue to include the Client Authentication EKU, issued by supported CAs.
These updates affect both Direct Routing and Operator Connect. Microsoft Teams SIP interface certificates will be issued by one of the supported CAs listed in the Azure Certificate Authority details page.
Supported Certificate Authorities (CAs)
The following CAs must be trusted on the SBCs.
- DigiCert Global Root CA – Thumbprint:
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 - DigiCert Global Root G2 – Thumbprint:
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 - DigiCert Global Root G3 – Thumbprint:
7E04DE896A3E666D00E687D33FFAD93BE83D349E - DigiCert TLS ECC P384 Root G5 – Thumbprint:
17F3DE5E9F0F19E98EF61F32266E20C407AE30EE - DigiCert TLS RSA 4096 Root G5 – Thumbprint:
A78849DC5D7C758C8CDE399856B3AAD0B2A57135 - Microsoft ECC Root Certificate Authority 2017 – Thumbprint:
999A64C37FF47D9FAB95F14769891460EEC4C3C5 - Microsoft RSA Root Certificate Authority 2017 – Thumbprint:
73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74
What do I need to prepare as a Teams Direct Routing Admin or Operator Connect provider?
- Ensure all listed CAs are included in the SBC trust store.
- Configure SBCs to trust both client and server certificates with chains anchored in these CAs
- SBCs missing updated root CAs may encounter certificate validation errors, impacting service availability
- Consult your SBC vendor’s documentation for guidance on updating accepted certificate lists
Conclusion, opinion and summary
To maintain secure connectivity, SBCs must trust all of the supported root certificate authorities listed by Microsoft. Teams SIP interface certificates will continue to include the Client Authentication EKU, which is required for mutual TLS. While SBC certificates without this EKU are currently accepted, Microsoft will mandate its inclusion in the future. Administrators should prepare by updating trust stores now and working with their certificate providers to ensure compatibility and avoid service disruptions.
erik365.blog 
Comment / Kommentar verfassen