Certificates for mTLS Authentication on Teams Direct Routing AudioCodes Session Border Controllers

John Miller

Cloud Solutions Architect

Microsoft’s June 30 validation test is already surfacing certificate trust issues for some Teams Direct Routing environments. Organizations using AudioCodes SBCs with mTLS enabled should verify firmware, Teams TLS context settings, and required root certificate chains before calling issues affect users.

Editor’s Note: Updated July 2026 to reflect Microsoft’s June 30 validation test for Teams Direct Routing certificate readiness.

Action Needed: Microsoft’s Teams Direct Routing Certificate Test Is Exposing Readiness Gaps

Microsoft’s June 30, 2026 validation test is already helping identify Teams Direct Routing environments that may not trust the updated certificate chain. If your organization uses AudioCodes SBCs with mTLS enabled, review your configuration now to reduce the risk of call routing issues. This article explains how to check whether your SBC is affected, verify the required certificate chains, and update the Teams TLS context settings.


Bearded Call Center Operator

Introduction

Microsoft’s Direct Routing updates include guidance for organizations to check the installed root certificate chains on their Teams Direct Routing Session Border Controllers (SBCs). Microsoft’s June 30, 2026 validation test is now helping identify environments that may not trust the updated certificate chain, which can affect TLS connectivity between Teams and the SBC.

This article was originally published ahead of Microsoft’s remediation timeline. With the June validation test now surfacing potential readiness gaps, Teams Direct Routing customers should review their SBC configuration, firmware, Teams TLS context settings, and required root certificate chains as soon as possible. These updates are especially important for organizations validating Teams Direct Routing certificates on AudioCodes SBCs with mTLS enabled.

In a nutshell:

  1. This note applies to Teams Direct Routing SBCs where Mutual TLS authentication (mTLS) has been enabled.
  2. If the firmware on your AudioCodes SBC is at least 7.4.600, you just need to enable a parameter on the SBC.
  3. If it isn’t, you will need to either update the firmware or manually install at least two (2) root chains and turn the aforementioned switch on.

The information in this article applies to AudioCodes Teams Direct Routing SBCs. If you are using another manufacturer’s SBC, please check their support pages or contact their service department for guidance.


How To Check Your Teams Direct Routing Certificates

Does this apply to our SBCs?

  • Microsoft’s announcement infers that this applies to all Teams Direct Routing SBCs.
  • The AudioCodes technical note MC1213773 ACTION REQUIRED: TEAMS DIRECT ROUTING CHANGE (this can only be accessed if you have an AudioCodes support account) states that the Microsoft note only applies to AudioCodes Teams Direct Routing-enabled SBCs where mutual TLS authentication has been enabled on the SIP interface associated with the Teams Proxy Set.
  • To determine if mutual TLS has been enabled for Teams:
    • Sign on to your SBC.
    • Navigate to the SIP Interfaces table at Setup->Signaling & Media ->Core Entities->SIP Interfaces.
    • Click on the “Teams” SIP interface.
      • If the interface is not named “Teams”, go to Setup->Signaling & Media->Core Entities->Proxy Sets and find the “Teams” Proxy Set. The associated “SIP Interface” can be found in the “SBC IPv4 SIP Interface” field.
Cybersecurity Team using Computer in Blue Light

african american programmer looking at digital tablet during work in data center
If the “TLS Mutual Authentication” field under the “Security’ section has the value “Enable”, you should continue to read this article!


What is TLS Mutual Authentication?

Under standard transaction layer security (TLS) authentication, only the server is authenticated. In Mutual TLS or mTLS, both the client and server must present and verify their respective certificates.

The previous eGroup blog article, Microsoft Teams Direct Routing and Mutual TLS Authentication, describes how to set this up and includes our recommendation to enable mTLS on Teams Direct Routing SBCs.

Indian business man software developer working on laptop in office. Vertical

Young woman working at a call center which is a consultant for various information of customers

We are using mTLS for Teams on an AudioCodes Teams Direct Routing-enabled SBC, now what?

You will first need to verify that a parameter on the Teams TLS context is properly configured and that all seven (7) of the Microsoft-provided certificate root chains are installed on the SBC.

Teams TLS Context Setting

  1. Backup the SBC’s configuration.
  2. Navigate to Setup->IP Network->Security->TLS Contexts on your SBC.
  3. Click on the context you are using for Teams; it will usually be named “Teams”.
    1. If you aren’t sure which one it is, you can look at the “TLS Context Name” field on the Teams Proxy Set.
    1. The context used by Teams should only be used for Teams Direct Routing. It should only be assigned to the Teams Proxy Set. Your SBC should have at least two (2) TLS contexts: “Default” and “Teams”. Please contact us if you do not have both!
  4. The value of the “Use default CA Bundle” will probably be blank. Change it to “Enable”.
    1. If you do not see the “Use default CA Bundle” option, you will need to update the firmware on the SBC.
  5. Click the “Apply” button, then save the configuration.
  6. The SBC will not require a restart after making this change.
  7. You should not change this setting on the “default”, or any other TLS contexts that you may have on your SBC.

Verifying that you have all the Certificates based on the SBC’s firmware

After turning on the default CA Bundle on the SBC, you can determine if you have all the certificates based on the currently running firmware:

  1. Your SBC has all the certificates if you are running at least either version 7.4.600 or 7.6.
  2. If your SBC is running a version between 7.4.300 and 7.4.500 you can use either of these options:
    • a) Add these two (2) certificates to your SBC. Follow the instructions in the next section to add these:
Certificate AuthoritySerial NumberThumbprint
DigiCert TLS ECC P384 Root G50x09e09365acf7d9c8b93e1c0b042a2ef317F3DE5E9F0F19E98EF61F32266E20C407AE30EE
DigiCert TLS RSA 4096 Root G50x08f9b478a8fa7eda6a333789de7ccf8aA78849DC5D7C758C8CDE399856B3AAD0B2A57135
Support with a smile. Portrait of a happy and confident young man working in a call center.

  • b. Update the firmware on the SBC.
    • Do not upgrade from a 7.4 version to 7.6 to add the certificates. Upgrading from 7.4 to 7.6 constitutes a major upgrade to the SBC. We recommend against doing this upgrade solely to ensure that all the certificates are installed on your SBC.AudioCodes has a “Long Term Support (LTS)” and “Latest Release (LR)” version of the 7.4 firmware available for download (there is currently only an LR of the 7.6 available)
    • At eGroup, we advise our clients to only upgrade their SBCs with the LTS version. We also tell our clients to only install an LR version if directed to do so by AudioCodes or us. This is one of those rare occasions where we tell our customers to go ahead and install the current LR version of the 7.4 firmware to get the certificates onto their SBCs.
  • c. If the SBC is running a version older than 7.4.300, you can use either of these options:
    • Add all seven (7) certificates to your SBC (see below).
      • Update the firmware on the SBC.
      • If you are running a flavor of the 7.2 firmware older than 7.20A.204.549, you must follow the guidance in the AudioCodes SBC Version 7.2 to 7.4 Upgrade Procedure document.

Checking for the Required Root Chains

Here is the list of Root chains that must be installed on the SBCs:

Certificate AuthoritySerial NumberThumbprint
DigiCert Global Root CA0x083be056904246b1a1756ac95991c74aA8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
DigiCert Global Root G20x033af1e6a711a9a0bb2864b11d09fae5DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
DigiCert Global Root G30x055556bcf25ea43535c3a40fd5ab45727E04DE896A3E666D00E687D33FFAD93BE83D349E
DigiCert TLS ECC P384 Root G50x09e09365acf7d9c8b93e1c0b042a2ef317F3DE5E9F0F19E98EF61F32266E20C407AE30EE
DigiCert TLS RSA 4096 Root G50x08f9b478a8fa7eda6a333789de7ccf8aA78849DC5D7C758C8CDE399856B3AAD0B2A57135
Microsoft ECC Root Certificate Authority 20170x66f23daf87de8bb14aea0c573101c2ec999A64C37FF47D9FAB95F14769891460EEC4C3C5
Microsoft RSA Root Certificate Authority 20170x1ed397095fd8b4b347701eaabe7f45b373A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74

The links in the table will allow you to download the certificate chains. Please note that these are “.CRT” files. They will have to be converted to PEM/ASCII format. You may be able to convert these using the “SSL Converter” tool on the SSL Shopper website; otherwise, use your tool of choice.


To “visually” check to see if you have all these root chains:

  1. On the SBC, navigate to Setup->IP Network->Security->Default CA Bundle.
  2. Scroll through the list to locate the certificate by its “Subject Name”.
  3. Once you’ve found it, verify that the serial number matches the number in the table above.
  4. Note all root chains that you are missing.

Importing missing Root Certificates

  1. The SBC will not require a restart after importing the certificate.
  2. Backup the SBC’s configuration.
  3. Navigate to the Teams TLS Context and click on “Trusted Root Certificates” at the bottom of the page.
  4. Click the “Import” button.
  5. Select the “PEM/ASCII” formatted certificate file.
  6. Follow the prompts.
  7. The SBC will not require a restart after importing the certificate.
  8. Install additional certificates as needed.
multiethnic technicians working on laptop near server in data center

Summary

Microsoft’s Teams Direct Routing certificate changes are now actively surfacing readiness gaps for some SBC environments. Organizations using AudioCodes SBCs with mTLS enabled should verify that the required root certificate chains are installed and that the Teams TLS context is configured correctly.

For AudioCodes SBCs running supported firmware, remediation may be as simple as enabling the default CA bundle on the Teams TLS context. Older firmware versions may require a firmware update or manual installation of the required root certificate chains. Failure to address these requirements may prevent the Direct Routing SBC from communicating with Teams.

Need help reviewing your Teams Voice environment? Explore our Teams Phone services to validate Direct Routing readiness, reduce call disruption risk, and support a more reliable Microsoft Teams calling experience.


Need Help With Teams Direct Routing?

Validate Your Teams Direct Routing Configuration Before Certificate Issues Affect Calling

Microsoft’s June 30, 2026 validation test is already surfacing potential certificate trust issues in some Teams Direct Routing environments.

If your organization uses AudioCodes SBCs with mTLS enabled, eGroup can help review your configuration, confirm certificate readiness, and guide remediation before call routing issues affect users.

Shot of two call centre agents working together in an office at night
Get in Touch with Us

Connect with an expert to learn what we can do for your business.

Request Access to Win Wires

Enter your work email to request access to the eGroup Win Wires repository.

By requesting access, you confirm you are using an approved business email domain. You’ll receive a secure, one-time login link after returning to the Win Wires page.