Share via

Required cipher suite configuration for SBCs

Lynne 0 Reputation points
2026-03-24T10:34:47.7966667+00:00

We have Teams Direct Routing certificate update, but several legacy SBC nodes (AudioCodes and Cisco CUBE) are failing TLS handshakes with sip.pstnhub.microsoft.com, resulting in SIP OPTIONS 408 timeouts.

Despite importing the new DigiCert Global Root G2 and Microsoft RSA 2017 certificates, packet captures show the Microsoft Server Hello presenting newer root chains (G5), while older SBC firmware appears unable to validate them, likely due to unsupported cipher suites or stricter 4096-bit / EKU requirements.

Is there a recommended or required cipher suite configuration for SBCs to ensure compatibility with Microsoft Teams Direct Routing mTLS after the 2026 certificate changes?

Thanks

Microsoft Teams | Development
Microsoft Teams | Development

Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven-N 25,305 Reputation points Microsoft External Staff Moderator
    2026-03-24T11:34:15.2733333+00:00

    Hi Lynne

    Based on my research, Microsoft has migrated its SIP interface certificates to a new Public Key Infrastructure that relies on seven root Certificate Authorities, not just the two you have imported.

    The Microsoft SIP endpoints now present certificate chains that may be rooted in DigiCert TLS RSA 4096 Root G5 or DigiCert TLS ECC P384 Root G5. If these roots are absent from the SBC trust store, the SBC cannot validate the server certificate and the TLS handshake fails before any SIP signaling can occur.

    Given this, you have to ensure the following requirement:

    Update SBC firmware to a version that supports the new certificate chain and cipher suites: AudioCodes firmware 7.4.600 or later; Cisco CUBE IOS-XE 17.3.x or later.

    Import all seven required root CAs into the SBC trusted root store (download links available at https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details):

    • DigiCert Global Root CA
    • DigiCert Global Root G2
    • DigiCert Global Root G3
    • DigiCert TLS ECC P384 Root G5
    • DigiCert TLS RSA 4096 Root G5
    • Microsoft ECC Root Certificate Authority 2017
    • Microsoft RSA Root Certificate Authority 2017

    Configure the SBC to use only the following TLS 1.2 cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    Validate your configuration by sending SIP OPTIONS to the Microsoft test endpoint at sip.g1.pstnhub.microsoft.com on port 5061. A 200 OK response confirms that the TLS handshake and certificate validation are successful.

    Note: When importing the DigiCert TLS RSA 4096 Root G5 certificate via CLI, the PEM data contains the string "quit" which IOS interprets as an exit command. Import the certificate via TFTP or SCP to avoid this issue.

    For detailed reference:

    Hope my answer will help you.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.