To maintain Zoom’s high-security standards regarding Zoom applications, connectivity, and media across the Zoom platform, Zoom will begin transitioning its global infrastructure to DigiCert Global Root G2 signed certificates. To ensure that the services continue functioning, admins may need to install new certificates. A quick summary of the various services that will be affected is shown below:
Service/Device type | Date of change |
Devices utilizing the Cloud Room Connector* |
|
Bring your own carrier - Premises (BYOC-Premises) |
Beginning August 1, 2023 |
Generic SIP devices for Zoom Phone |
|
SIP-connected audio devices |
January 1, 2024 |
Single sign-on |
January 1, 2024 |
*Note: These changes were scheduled to start on January 27th and February 3rd but have been delayed by a week.
Zoom is currently in the process of transitioning our root certificate from DigiCert Root CA to DigiCert Global Root G2. As part of this change, customers will be required to upload the DigiCert Global Root G2 into their session border controller (SBC) to ensure that BYOC/BYOP trunks that are configured for TLS continue to operate after the certificate change. These certificates will also need to be uploaded to Generic devices to continue to operate after the certificate change.
Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device until Zoom has updated the new certificates.
For additional resources on how to update the certificates on Session Border Controllers, please see the links below or visit your phone manufacturer’s website.
Zoom CRC services will begin to use certificates issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.
This change only affects devices connecting to Zoom CRC using SIP TLS. Connections using SIP over TCP, SIP over UDP, and H.323 are unaffected.
Note: To ensure operation, the current DigiCert Root CA certificates will need to remain on the device using SIP TLS to connect to Zoom CRC until Zoom has completed the change. They do not need to be removed from devices using SIP TLS to connect to Zoom CRC after the change.
Zoom understands that this change may have an impact on your SIP-based room systems or integrations that use Zoom CRC services. Zoom performed testing with a variety of common SIP/H.323 conference room equipment in default configuration to ensure the Zoom CRC certificate will not affect their ability to connect to Zoom meetings through Zoom CRC using SIP TLS. Zoom performed the tests with SIP/H.323 conference room equipment using the most recently released device vendor firmware. Zoom tested each device by making direct calls to Zoom CRC with SIP TLS as the configured call protocol. The following device/firmware combinations successfully connected to Zoom CRC using SIP TLS with the new certificates, when the device was in default configuration:
Zoom encourages you to review your SIP/H.323 conference room devices to ensure they meet these requirements. Zoom recommends updating your devices, if necessary, to ensure they are supported with Zoom CRC.
If your device, application, or platform is not listed above, and uses SIP, specifically SIP over TLS, to connect to Zoom CRC consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install additional certificates, if necessary.
From a SIP/H.323 device that is configured to use SIP TLS to connect to Zoom CRC, dial the SIP URI "0@dvgo.zmus.us" to connect to a Zoom CRC test service. The Zoom CRC services at dvgo.zmus.us use a certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate for SIP TLS connections.
A failure to connect is likely due to your device or service not trusting the new Zoom CRC certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. Review your SIP/H.323 device's logs to confirm why the call failed (e.g. couldn't create TLS connection due to a “verification failure” or “self-signed certificate in the certificate chain,” indicating an absence of trust). In this event, you may load the DigiCert Global Root G2 root certificate using your device vendor’s management interface. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible the failure is not on the SIP/H.323 device itself, but is somewhere along the call path. Review your infrastructure logs to confirm why the call failed.
If your SIP/H.323 device connects to the Zoom CRC video IVR and is prompted to enter a meeting ID, the device was likely able to negotiate a SIP TLS connection with Zoom CRC using its new certificate issued by the DigiCert Global Root G2 root certificate and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate. In this case, you don't need to join a meeting; the device’s ability to connect to the video IVR and receive audio/video is sufficient to test SIP TLS certificate trust.
However, Zoom recommends that you look at the SIP/H.323 device's logs to ensure it actually connected over SIP TLS, and did not fall back to SIP over TCP, SIP over UDP, or H.323 connection methods. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible a fall-back occurred somewhere along the call path. In this case, review your infrastructure logs to confirm the call is connected using SIP TLS.
You may optionally configure your device, application, or platform to use SIP UDP, SIP TCP, or H.323 to connect to the Conference Room Connector, however, Zoom recommends using SIP TLS. Consult your vendor’s documentation or contact your vendor’s support services to determine whether the trust store certificates available to your device, application, or platform include the DigiCert Global Root G2 root certificate. Your vendor can provide instructions to install the additional certificates listed elsewhere on this page, if necessary. If SIP TLS connectivity is not possible due to an inability to add certificates to the trust store of your device, application, or platform vendor, you could consider replacing your hardware with Zoom Rooms instead.
In keeping up with standard industry practices, Zoom will be updating its single sign-on (SSO) certificate ahead of its expiration on Tuesday, January 2, 2024. However, before proceeding with the Zoom SSO certificate rotation, please ensure that the DigiCert Global Root G2 is included in your trust stores. Most cloud-based Identity Provider (IdP) services already include this. On-premise-based IDP servers may require an update to the certificate trust store. Failure to have the DigiCert Global Root G2 included in your trust store will result in service disruption when rotating the Zoom SSO certificate.
As of March 2024, the G1 root certificates are no longer available, and organizations must utilize the new DigiCert Global Root G2 certificates instead.
DigiCert Global Root CA
Downloads |
PEM format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem DER format: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt |
Valid until date | 10/Nov/2031 |
Serial number | 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A |
SHA1 Fingerprint | A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 |
SHA256 Fingerprint | 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61 |
DigiCert TLS RSA SHA256 2020 CA1 certificate
Downloads |
PEM format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem DER format: https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt |
Valid until date | 13/Apr/2031 |
Serial number | 06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4 |
SHA1 Fingerprint | 1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD |
SHA256 Fingerprint | 52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14 |
We currently issue certificates through DigiCert. If the root certificate is not in your system's trust store, it may need to be added manually. Below are the current certificates organizations should utilize by January 1, 2024:
DigiCert Global Root G2 certificate
Downloads |
PEM format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem DER format: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt |
Valid until date | 15/Jan/2038 |
Serial number | 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5 |
SHA1 Fingerprint | DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 |
SHA256 Fingerprint | CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F |
DigiCert TLS RSA4096 Root G5 certificate
Downloads | PEM format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt.pem DER format: https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt |
Valid until date | 14/Jan/2046 |
Serial number | 08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A |
SHA1 Fingerprint | A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35 |
SHA256 Fingerprint | 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75 |
In rare instances, a system may require the intermediate certificate to be added manually:
DigiCert Global G2 TLS RSA SHA256 2020 CA1
Downloads |
PEM format: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem |
Valid until date | 29/Mar/2031 |
Serial number | 0C:F5:BD:06:2B:56:02:F4:7A:B8:50:2C:23:CC:F0:66 |
SHA1 Fingerprint | 1B:51:1A:BE:AD:59:C6:CE:20:70:77:C0:BF:0E:00:43:B1:38:26:12 |
SHA256 Fingerprint | C8:02:5F:9F:C6:5F:DF:C9:5B:3C:A8:CC:78:67:B9:A5:87:B5:27:79:73:95:79:17:46:3F:C8:13:D0:B6:25:A9 |
DigiCert G5 TLS RSA4096 SHA384 2021 CA1
Downloads |
PEM format: https://cacerts.digicert.com/DigiCertG5TLSRSA4096SHA3842021CA1-1.crt.pem |
Valid until date | 13/Apr/2031 |
Serial number | 0E:64:58:E7:54:EC:9C:C7:BA:C8:32:31:D5:F9:4D:58 |
SHA1 Fingerprint | 81:5C:D8:FF:64:BE:AC:E0:7E:F8:F2:F9:D5:33:01:1F:A4:79:36:58 |
SHA256 Fingerprint | C6:27:0A:15:06:91:FB:E1:90:D8:31:F5:13:9B:DF:EE:CF:7B:29:8B:4F:A0:CA:17:30:6A:69:D7:E9:1E:7B:A2 |
For more information on downloading Digicert certificates, please Digicert Support.