Updating root certificates for Zoom services

To maintain Zoom’s high-security standards regarding Zoom applications, connectivity, and media across the Zoom platform, Zoom will begin transitioning its global infrastructure to DigiCert Global Root G2 signed certificates. To ensure that the services continue functioning, admins may need to install new certificates. A quick summary of the various services that will be affected is shown below:

Service/Device type	Date of change
Devices utilizing the Cloud Room Connector*	February 3, 2024, 10 PM PDT for Hyderabad domain February 10, 2024, 10 PM PDT for Brazil and Mexico domains February 16, 2024, 10 PM PDT for Australia, Canada and EU domains February 23, 2024, 10 PM PDT for remaining APAC domains March 1, 2024, 10 PM PDT for US domains
Bring your own carrier - Premises (BYOC-Premises)	Beginning August 1, 2023
Generic SIP devices for Zoom Phone	March 29, 2024, 9 AM PDT for APAC (Melbourne, Singapore, Hyderabad, Osaka, and Hong Kong) domains March 29, 2024, 5 PM PDT for Canada (Toronto) and Mexico (Queretaro) domains April 5, 2024, 9 AM PDT for APAC (Sydney, Tokyo, and Mumbai) domains April 5, 2024, 5 PM PDT for Canada (Vancouver) and Brazil (Sao Paulo) domains April 12, 2024, 9 AM PDT for Europe (Frankfurt and Leipzig) domains April 12, 2024, 5 PM PDT for US (Virginia 1, Virginia 2, Virginia 3, Virginia 4, Colorado, Colorado 2, and New York 1) domains April 19, 2024, 9 AM PDT for Europe (Amsterdam) domain April 19, 2024, 5 PM PDT for US (North California, North California 2, North California 3, North California 4, North California 5, North California 6, and New York 2) domains
SIP-connected audio devices	January 1, 2024
Single sign-on	January 1, 2024

*Note: These changes were scheduled to start on January 27th and February 3rd but have been delayed by a week.

This article covers:

How does this affect Zoom Phone?
How does this affect SIP-based room systems?
How does this affect single sign-on (SSO)?
How to download root certificates for adding manually
- Current root and intermediate certificate
  - Current root certificate
  - Current immediate certificate
- New root and intermediate certificates
  - New root certificates
  - New intermediate certificates

How does this affect Zoom Phone?

Zoom is currently in the process of transitioning our root certificate from DigiCert Root CA to DigiCert Global Root G2. As part of this change, customers will be required to upload the DigiCert Global Root G2 into their session border controller (SBC) to ensure that BYOC/BYOP trunks that are configured for TLS continue to operate after the certificate change. These certificates will also need to be uploaded to Generic devices to continue to operate after the certificate change.

Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device until Zoom has updated the new certificates.

For additional resources on how to update the certificates on Session Border Controllers, please see the links below or visit your phone manufacturer’s website.

How does this affect SIP-based room systems?

Zoom CRC services will begin to use certificates issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.

This change only affects devices connecting to Zoom CRC using SIP TLS. Connections using SIP over TCP, SIP over UDP, and H.323 are unaffected.

Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device using SIP TLS to connect to Zoom CRC until Zoom has completed the change. They do not need to be removed from devices using SIP TLS to connect to Zoom CRC after the change.

How can I check whether my SIP-based room system will be impacted?

Zoom understands that this change may have an impact on your SIP-based room systems or integrations that use Zoom CRC services. Zoom performed testing with a variety of common SIP/H.323 conference room equipment in default configuration to ensure the Zoom CRC certificate will not affect their ability to connect to Zoom meetings through Zoom CRC using SIP TLS. Zoom performed the tests with SIP/H.323 conference room equipment using the most recently released device vendor firmware. Zoom tested each device by making direct calls to Zoom CRC with SIP TLS as the configured call protocol. The following device/firmware combinations successfully connected to Zoom CRC using SIP TLS with the new certificates, when the device was in default configuration:

Cisco EX-series, C-series, and MX-series "generation 1" devices using firmware TC7.3.21
Cisco DX-series, SX-series, and MX-series "generation 2" devices using firmware CE9.15.17.4
Cisco Room-series, Desk-series, and Board-series devices using firmware RoomOS 10.19.5.6 (on-premises) or 10.20.1.6 (cloud-registered)
Cisco Room-series, Desk-series, and Board-series devices using firmware RoomOS 11.1.4.1 and greater (on-premises) or 11.4.1.8 and greater (cloud-registered)
Polycom HDX devices using firmware 3.1.7 and greater
Polycom RealPresence Group-series devices using firmware 6.1.7.2 and greater
Polycom Trio devices (including Visual Plus and Visual Pro configurations) using firmware 7.2.6-0019

Zoom encourages you to review your SIP/H.323 conference room devices to ensure they meet these requirements. Zoom recommends updating your devices, if necessary, to ensure they are supported with Zoom CRC.

If your device, application, or platform is not listed above, and uses SIP, specifically SIP over TLS, to connect to Zoom CRC consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install additional certificates, if necessary.

How can I perform a confirmation test ahead of the change with my SIP-based room system?

From a SIP/H.323 device that is configured to use SIP TLS to connect to Zoom CRC, dial the SIP URI "0@dvgo.zmus.us" to connect to a Zoom CRC test service. The Zoom CRC services at dvgo.zmus.us use a certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.

If the call fails to connect

A failure to connect is likely due to your device or service not trusting the new Zoom CRC certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. Review your SIP/H.323 device's logs to confirm why the call failed (e.g. couldn't create TLS connection due to a “verification failure” or “self-signed certificate in the certificate chain,” indicating an absence of trust). In this event, you may load the DigiCert Global Root G2 root certificate using your device vendor’s management interface. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible the failure is not on the SIP/H.323 device itself, but is somewhere along the call path. Review your infrastructure logs to confirm why the call failed.

If the calls connect successfully

If your SIP/H.323 device connects to the Zoom CRC video IVR and is prompted to enter a meeting ID, the device was likely able to negotiate a SIP TLS connection with Zoom CRC using its new certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. In this case, you don't need to join a meeting; the device’s ability to connect to the video IVR and receive audio/video is sufficient to test SIP TLS certificate trust.

However, Zoom recommends that you look at the SIP/H.323 device's logs to ensure it actually connected over SIP TLS, and did not fall back to SIP over TCP, SIP over UDP, or H.323 connection methods. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible a fall-back occurred somewhere along the call path. In this case, review your infrastructure logs to confirm the call is connected using SIP TLS.

What to do if my SIP/H.323 device is impacted?

You may optionally configure your device, application, or platform to use SIP UDP, SIP TCP, or H.323 to connect to the Conference Room Connector, however, Zoom recommends using SIP TLS. Consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install the additional certificates listed elsewhere on this page, if necessary. If SIP TLS connectivity is not possible due to an inability to add certificates to the trust store of your device, application, or platform vendor, you could consider replacing your hardware with Zoom Rooms instead.

How does this affect single sign-on (SSO)?

In keeping up with standard industry practices, Zoom will be updating its single sign-on (SSO) certificate ahead of its expiration on Tuesday, January 2, 2024. However, before proceeding with the Zoom SSO certificate rotation, please ensure that the DigiCert Global Root G2 is included in your trust stores. Most cloud-based Identity Provider (IdP) services already include this. On-premise-based IDP servers may require an update to the certificate trust store. Failure to have the DigiCert Global Root G2 included in your trust store will result in service disruption when rotating the Zoom SSO certificate.

How to download root certificates for adding manually

Current root and intermediate certificate

As of March 2024, the G1 root certificates are no longer available, and organizations must utilize the new DigiCert Global Root G2 certificates instead.

Current root certificate

DigiCert Global Root CA

Downloads	PEM format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem DER format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
Valid until date	10/Nov/2031
Serial number	08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
SHA1 Fingerprint	A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256 Fingerprint	43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61

Current immediate certificate

DigiCert TLS RSA SHA256 2020 CA1 certificate

Downloads	PEM format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem DER format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
Valid until date	13/Apr/2031
Serial number	06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4
SHA1 Fingerprint	1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
SHA256 Fingerprint	52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14

New root and intermediate certificates

New root certificates

We currently issue certificates through DigiCert. If the root certificate is not in your system's trust store, it may need to be added manually. Below are the current certificates organizations should utilize by January 1, 2024:

DigiCert Global Root G2 certificate

Downloads	PEM format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem DER format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Valid until date	15/Jan/2038
Serial number	03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 Fingerprint	DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 Fingerprint	CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

DigiCert TLS RSA4096 Root G5 certificate

Downloads	PEM format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt.pem DER format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt
Valid until date	14/Jan/2046
Serial number	08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A
SHA1 Fingerprint	A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256 Fingerprint	37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75

New intermediate certificates

In rare instances, a system may require the intermediate certificate to be added manually:

DigiCert Global G2 TLS RSA SHA256 2020 CA1

Downloads	PEM format: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem DER format: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Valid until date	29/Mar/2031
Serial number	0C:F5:BD:06:2B:56:02:F4:7A:B8:50:2C:23:CC:F0:66
SHA1 Fingerprint	1B:51:1A:BE:AD:59:C6:CE:20:70:77:C0:BF:0E:00:43:B1:38:26:12
SHA256 Fingerprint	C8:02:5F:9F:C6:5F:DF:C9:5B:3C:A8:CC:78:67:B9:A5:87:B5:27:79:73:95:79:17:46:3F:C8:13:D0:B6:25:A9

DigiCert G5 TLS RSA4096 SHA384 2021 CA1

Downloads	PEM format: https://cacerts.digicert.com/DigiCertG5TLSRSA4096SHA3842021CA1-1.crt.pem DER format: https://cacerts.digicert.com/DigiCertG5TLSRSA4096SHA3842021CA1-1.crt
Valid until date	13/Apr/2031
Serial number	0E:64:58:E7:54:EC:9C:C7:BA:C8:32:31:D5:F9:4D:58
SHA1 Fingerprint	81:5C:D8:FF:64:BE:AC:E0:7E:F8:F2:F9:D5:33:01:1F:A4:79:36:58
SHA256 Fingerprint	C6:27:0A:15:06:91:FB:E1:90:D8:31:F5:13:9B:DF:EE:CF:7B:29:8B:4F:A0:CA:17:30:6A:69:D7:E9:1E:7B:A2

For more information on downloading Digicert certificates, please Digicert Support.