Updating root certificates for Zoom services

To maintain Zoom’s high-security standards regarding Zoom applications, connectivity, and media across the Zoom platform, Zoom will begin transitioning its global infrastructure to DigiCert Global Root G2 signed certificates. To ensure that the services continue functioning, admins may need to install new certificates. A quick summary of the various services that will be affected is shown below:

Service/Device typeDate of change

Devices utilizing the Cloud Room Connector*

  • February 3, 2024, 10 PM PDT for Hyderabad domain
  • February 10, 2024, 10 PM PDT for Brazil and Mexico domains
  • February 16, 2024, 10 PM PDT for Australia, Canada and EU domains
  • February 23, 2024, 10 PM PDT for remaining APAC domains
  • March 1, 2024, 10 PM PDT for US domains

Bring your own carrier - Premises (BYOC-Premises)

Beginning August 1, 2023

Generic SIP devices for Zoom Phone

  • March 29, 2024, 9 AM PDT for APAC (Melbourne, Singapore, Hyderabad, Osaka, and Hong Kong) domains
  • March 29, 2024, 5 PM PDT for Canada (Toronto) and Mexico (Queretaro) domains
  • April 5, 2024, 9 AM PDT for APAC (Sydney, Tokyo, and Mumbai) domains
  • April 5, 2024, 5 PM PDT for Canada (Vancouver) and Brazil (Sao Paulo) domains
  • April 12, 2024, 9 AM PDT for Europe (Frankfurt and Leipzig) domains
  • April 12, 2024, 5 PM PDT for US (Virginia 1, Virginia 2, Virginia 3, Virginia 4, Colorado, Colorado 2, and New York 1) domains
  • April 19, 2024, 9 AM PDT for Europe (Amsterdam) domain
  • April 19, 2024, 5 PM PDT for US (North California, North California 2, North California 3, North California 4, North California 5, North California 6, and New York 2) domains

SIP-connected audio devices

January 1, 2024

Single sign-on 

January 1, 2024

*Note: These changes were scheduled to start on January 27th and February 3rd but have been delayed by a week.

Table of Contents

How does this affect Zoom Phone?

Zoom is currently in the process of transitioning our root certificate from DigiCert Root CA to DigiCert Global Root G2. As part of this change, customers will be required to upload the DigiCert Global Root G2 into their session border controller (SBC) to ensure that BYOC/BYOP trunks that are configured for TLS continue to operate after the certificate change. These certificates will also need to be uploaded to Generic devices to continue to operate after the certificate change.

Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device until Zoom has updated the new certificates.

For additional resources on how to update the certificates on Session Border Controllers, please see the links below or visit your phone manufacturer’s website.

How does this affect SIP-based room systems?

Zoom CRC services will begin to use certificates issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.

This change only affects devices connecting to Zoom CRC using SIP TLS. Connections using SIP over TCP, SIP over UDP, and H.323 are unaffected.

Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device using SIP TLS to connect to Zoom CRC until Zoom has completed the change. They do not need to be removed from devices using SIP TLS to connect to Zoom CRC after the change.

How can I check whether my SIP-based room system will be impacted?

Zoom understands that this change may have an impact on your SIP-based room systems or integrations that use Zoom CRC services. Zoom performed testing with a variety of common SIP/H.323 conference room equipment in default configuration to ensure the Zoom CRC certificate will not affect their ability to connect to Zoom meetings through Zoom CRC using SIP TLS. Zoom performed the tests with SIP/H.323 conference room equipment using the most recently released device vendor firmware. Zoom tested each device by making direct calls to Zoom CRC with SIP TLS as the configured call protocol. The following device/firmware combinations successfully connected to Zoom CRC using SIP TLS with the new certificates, when the device was in default configuration:

Zoom encourages you to review your SIP/H.323 conference room devices to ensure they meet these requirements. Zoom recommends updating your devices, if necessary, to ensure they are supported with Zoom CRC.

If your device, application, or platform is not listed above, and uses SIP, specifically SIP over TLS, to connect to Zoom CRC consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install additional certificates, if necessary.

How can I perform a confirmation test ahead of the change with my SIP-based room system?

From a SIP/H.323 device that is configured to use SIP TLS to connect to Zoom CRC, dial the SIP URI "0@dvgo.zmus.us" to connect to a Zoom CRC test service. The Zoom CRC services at dvgo.zmus.us use a certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.

If the call fails to connect

A failure to connect is likely due to your device or service not trusting the new Zoom CRC certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. Review your SIP/H.323 device's logs to confirm why the call failed (e.g. couldn't create TLS connection due to a “verification failure” or “self-signed certificate in the certificate chain,” indicating an absence of trust). In this event, you may load the DigiCert Global Root G2 root certificate using your device vendor’s management interface. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible the failure is not on the SIP/H.323 device itself, but is somewhere along the call path. Review your infrastructure logs to confirm why the call failed.

If the calls connect successfully

If your SIP/H.323 device connects to the Zoom CRC video IVR and is prompted to enter a meeting ID, the device was likely able to negotiate a SIP TLS connection with Zoom CRC using its new certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. In this case, you don't need to join a meeting; the device’s ability to connect to the video IVR and receive audio/video is sufficient to test SIP TLS certificate trust.

However, Zoom recommends that you look at the SIP/H.323 device's logs to ensure it actually connected over SIP TLS, and did not fall back to SIP over TCP, SIP over UDP, or H.323 connection methods. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible a fall-back occurred somewhere along the call path. In this case, review your infrastructure logs to confirm the call is connected using SIP TLS.

What to do if my SIP/H.323 device is impacted?

You may optionally configure your device, application, or platform to use SIP UDP, SIP TCP, or H.323 to connect to the Conference Room Connector, however, Zoom recommends using SIP TLS. Consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install the additional certificates listed elsewhere on this page, if necessary. If SIP TLS connectivity is not possible due to an inability to add certificates to the trust store of your device, application, or platform vendor, you could consider replacing your hardware with Zoom Rooms instead.

How does this affect single sign-on (SSO)?

In keeping up with standard industry practices, Zoom will be updating its single sign-on (SSO) certificate ahead of its expiration on Tuesday, January 2, 2024. However, before proceeding with the Zoom SSO certificate rotation, please ensure that the DigiCert Global Root G2 is included in your trust stores. Most cloud-based Identity Provider (IdP) services already include this. On-premise-based IDP servers may require an update to the certificate trust store. Failure to have the DigiCert Global Root G2 included in your trust store will result in service disruption when rotating the Zoom SSO certificate.

How to download root certificates for adding manually

Current root and intermediate certificate

As of March 2024, the G1 root certificates are no longer available, and organizations must utilize the new DigiCert Global Root G2 certificates instead.

Current root certificate

DigiCert Global Root CA

 

Downloads

PEM format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

DER format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt

Valid until date10/Nov/2031
Serial number08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
SHA1 FingerprintA8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256 Fingerprint43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61

 

Current immediate certificate

DigiCert TLS RSA SHA256 2020 CA1 certificate

 

Downloads

PEM format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem

DER format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt

Valid until date13/Apr/2031
Serial number06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4
SHA1 Fingerprint1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
SHA256 Fingerprint52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14

 

New root and intermediate certificates

New root certificates

We currently issue certificates through DigiCert. If the root certificate is not in your system's trust store, it may need to be added manually. Below are the current certificates organizations should utilize by January 1, 2024:

DigiCert Global Root G2 certificate

 

Downloads

PEM format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem

DER format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt

Valid until date15/Jan/2038
Serial number03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 FingerprintDF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 FingerprintCB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

 

DigiCert TLS RSA4096 Root G5 certificate

 

DownloadsPEM format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt.pem
DER format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt
Valid until date14/Jan/2046
Serial number08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A
SHA1 FingerprintA7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256 Fingerprint37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75

New intermediate certificates

In rare instances, a system may require the intermediate certificate to be added manually:

DigiCert Global G2 TLS RSA SHA256 2020 CA1

 

Downloads

PEM format: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem
DER format: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

Valid until date29/Mar/2031
Serial number0C:F5:BD:06:2B:56:02:F4:7A:B8:50:2C:23:CC:F0:66
SHA1 Fingerprint1B:51:1A:BE:AD:59:C6:CE:20:70:77:C0:BF:0E:00:43:B1:38:26:12
SHA256 FingerprintC8:02:5F:9F:C6:5F:DF:C9:5B:3C:A8:CC:78:67:B9:A5:87:B5:27:79:73:95:79:17:46:3F:C8:13:D0:B6:25:A9

 

DigiCert G5 TLS RSA4096 SHA384 2021 CA1

 

Downloads

PEM format: https://cacerts.digicert.com/DigiCertG5TLSRSA4096SHA3842021CA1-1.crt.pem
DER format: https://cacerts.digicert.com/DigiCertG5TLSRSA4096SHA3842021CA1-1.crt

Valid until date13/Apr/2031
Serial number0E:64:58:E7:54:EC:9C:C7:BA:C8:32:31:D5:F9:4D:58
SHA1 Fingerprint81:5C:D8:FF:64:BE:AC:E0:7E:F8:F2:F9:D5:33:01:1F:A4:79:36:58
SHA256 FingerprintC6:27:0A:15:06:91:FB:E1:90:D8:31:F5:13:9B:DF:EE:CF:7B:29:8B:4F:A0:CA:17:30:6A:69:D7:E9:1E:7B:A2

 

For more information on downloading Digicert certificates, please Digicert Support.