Forum Discussion

jers53's avatar
jers53
Copper Contributor
Mar 31, 2020

Comodo - Sectigo Certificate for MS Teams Direct Routing

Hi,   We are planning to set up Direct Routing. For communicaiton between the SBC and MS Teams, a certificate is required and the docs state that "The certificate needs to be generated by one of t...
microsoft teams
jers53's avatar
jers53
Copper Contributor
Jun 15, 2020

godril jers53 

 

Hi,

 

We indeed ended up requesting a new certificate from one of the provider on the MS list.

The TLS handshake between SBC and Teams was not OK using the existing Sectigo certificate.

(I should have updated this message earlier)

 

However godril it's strange your Comodo certificate wasn't accepted the second time as I recently was involved in a second installation using a Comodo certificate. That worked.

Maybe you can't use a certificate for two connections because of "reasons".

 

Kind regards,

Jeroen.

godril's avatar
godril
Brass Contributor
Jun 15, 2020

jers53 

 

The cert were different since the domains were also different. I wasnt investigating it long enough at that time because of the time deliver constraint. At that time I tried 30 days trial from other CA and worked fine so I assumed its the CA. But thank you for updating this. Will try the Comodo once again since I will have the 3rd one coming in. By the way, is your working Comodo cert installation for multi tenants  (wildcad SSL), or single tenant?  

  • jers53's avatar
    jers53
    Copper Contributor
    Jun 15, 2020

    godril 

     

    I was involved in but not in charge of this second project, I haven't had a decent look at the certificate and have no documentation available.
    When I'm required to do an intervention again I'll ask if I can check the cert for research purposes.

     

     

    Extra info 1

    The Sectigo cert that failed was indeed a wildcard certificate for our whole domain. It probably wasn't the cause of the issue but when looking for support at our SBC vendor they informed me that wildcard certificates could cause issues if you, for example, don't anticipate the domain levels in advance.

    I didn't get the full story but it was something like having a certificate for a server in a domain "server.domain.com" but also needing to have Teams users in the domain mailto:user@domain.com

    So MS links the certificate to server.domain.com, but when the user@domain.com gets active, MS tries to find the certificate for only the domain.com and will not find it because the server is registered with "server.*" in it. (please note that's how I understood the story and this is no confirmed info.)

    Anyway so I made sure I requested a certificate for the highest domain level possible within our organisation so I wouldn't run into issues like that.

     

     

    Extra info 2

    For our initial project where the Sectigo one failed, we ended up ordering at GoDaddy and I can confirm that one works for us.

     

     

    Kind regards,

    Jeroen

    • godril's avatar
      godril
      Brass Contributor
      Jun 15, 2020

      jers53 

       

      Hmm.. I think this is might be something with the derived domain depth. I remembered couple months ago, my colleague had diffculty setting up custxx.sub.domain.tld (base domain SSL was sub.domain.tld) using GeoTrust. I lost the chat log where he mentioned the problem. In the end he applied SSL for domain.tld instead, hence the derived domain's custxx.domain.tld, and it worked. Need to read this more about this. I am sure I miss a lot of things. 

       

      Thank you for the info. 

       

       

Resources