The Clock Is Ticking for Direct Routing Admins

If you manage Microsoft Teams Direct Routing or Operator Connect, there's a critical infrastructure change heading your way that could silently break your entire voice deployment. Microsoft is shifting the SIP interface certificate to new Certificate Authority (CA) root chains — and if your Session Border Controller (SBC) isn't prepared, all inbound and outbound PSTN calls will fail starting June 2026.

This isn't a theoretical risk. It's a hard deadline with zero fallback.

What's Changing and Why

The core issue is straightforward: Microsoft's TLS certificates for Direct Routing SIP endpoints are moving from the legacy DigiCert Global Root CA (G1) to the newer DigiCert Global Root G2 and associated intermediate certificates.

This change is driven by two converging forces:

Google Chrome Root Program Policy v1.6 (published February 2025) now deprecates the use of Client Authentication Extended Key Usage (EKU) in TLS server certificates trusted by Chrome.

Mozilla and Chrome will actively distrust the DigiCert Global Root CA (G1) starting April 15, 2026.

Since Microsoft Teams Direct Routing relies on mutual TLS (mTLS) between Microsoft's SIP proxy and your SBC, the certificates on both sides must be trusted. When Microsoft switches to the new root chain, your SBC must already trust it — or the TLS handshake fails instantly.

The Timeline You Need to Know

Date	What Happens
End of February 2026	SBCs must be updated to trust the new DigiCert and Microsoft root CAs
End of March 2026	Microsoft provides a test SIP endpoint for TLS validation
April 2026	Microsoft begins rolling out new server-side certificates
June 2026	Full enforcement — certificates must exclusively use Server Authentication EKU

Root CAs Your SBC Must Trust

Make sure all five of these Certificate Authorities are in your SBC's trust store:

Certificate Authority	Thumbprint (SHA1)
DigiCert Global Root CA	A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
DigiCert Global Root G2	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
DigiCert TLS RSA 4096 Root G5	A384D076E98B0F861222016CC22B0770B3A22A49
Microsoft ECC Root CA 2017	999A64C37FF47D9FAB95F14769891460EEC4C3C5
Microsoft RSA Root CA 2017	73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74

The most critical one is DigiCert Global Root G2 — this is the new primary root that Microsoft is migrating to.

What Happens If You Don't Prepare

If your SBC doesn't trust the new certificate chain when Microsoft switches:

TLS handshake fails between Microsoft's SIP proxy and your SBC

All Direct Routing calls drop — both inbound and outbound

No gradual degradation — it's an immediate, complete voice outage

You'll see TLS Alert 46 ("Certificate Unknown") in your SBC logs

This affects every SBC vendor: AudioCodes, Ribbon (Sonus), Oracle, TE-Systems, Metaswitch, and others.

Your 5-Step Action Plan

Step 1: Verify Current Trust Store

Log into your SBC admin interface and check which root CAs are currently trusted. Look for DigiCert Global Root G2 with thumbprint DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.

Step 2: Update SBC Firmware

Older firmware may not support the new cipher suites. Check with your vendor:

AudioCodes: Minimum OVOC 8.2+ recommended

Ribbon: Check SBC Edge/SWe Lite release notes

Oracle: Verify Enterprise SBC firmware compatibility

Step 3: Install All Five Root CAs

Download and install all five certificates listed above into your SBC trust store. Don't just add G2 — you need the complete chain including Microsoft's own root CAs.

Step 4: Update SIP Trunk Profiles

Ensure the TLS profiles assigned to your Microsoft Teams SIP interfaces reference the updated trust store. Creating the trust context is useless if the active proxy set isn't using it.

Step 5: Test Before the Deadline

When Microsoft publishes the test SIP endpoint (expected March 2026), use it to validate that your SBC can complete the TLS handshake with the new certificates.

Broader Impact: Microsoft Entra ID

This isn't just about voice. Starting January 7, 2026, Microsoft Entra (Azure AD) also migrated its certificates from G1 to G2. If your applications or services pin to the old DigiCert G1 root, you may experience authentication failures across M365 services.

How SwiftM365 Helps

If you're managing Direct Routing deployments across multiple locations, SwiftM365 can help you generate the voice configuration scripts you need — dial plans, voice routing policies, PSTN usages, and voice routes for 203 countries. All scripts run locally in your PowerShell environment with zero tenant access.

When you're ready to set up or reconfigure your Direct Routing after the certificate update, visit swiftm365.com to generate your configuration scripts in seconds.

Key Takeaways

Act now — don't wait until June 2026

Update your SBC trust store with all five root CAs

Check firmware compatibility with your SBC vendor

Test early using Microsoft's validation endpoint when available

Monitor TLS Alert 46 in logs as an early warning sign

The certificate change is non-negotiable. The good news is that preparation is straightforward — it just needs to happen before the deadline.

---

Have questions about Direct Routing certificate changes or need help with your voice configuration? Reach out via our feedback page or contact me directly at +91 9011070193.

Microsoft Teams Direct Routing: Critical Certificate Changes Coming June 2026 — What Admins Must Do Now