To ensure reliable, standards-compliant SIP-TLS connectivity with 9Line, customers should update their SBC trust configuration. This change prevents future certificate validation issues when certificate authorities rotate intermediates.
Why this change?
- Some deployments imported intermediate CA certificates into the SBC trust store, which effectively pins validation to a specific intermediate.
- When the CA rotates intermediates as part of its normal lifecycle, TLS validation can fail even though the server presents a valid chain.
- Going forward, 9Line recommends customers adhere to current industry best practices to trust only the self-signed root CA; the 9Line SBC always presents the intermediates during the TLS handshake.
Action required
- Remove any intermediate CA certificates from your SBC trustpoint or trust store.
- Import the current self-signed root CA.
- Confirm your SIP-TLS configuration references the trustpoint that contains only this root.
What to expect
- No downtime is required for this change in most environments.
- After this update, you should not need to modify your trust store when intermediates rotate. Updates are only needed if the CA changes the root.
Documentation
For step-by-step instructions (including Cisco CUBE examples), please see our guide:
Securing Traffic with TLS-SRTP
Support
If you have questions, please contact 9Line Support.