Twilio updating CA bundles

Heya people,

A quick question, we received an email from Twilio today with the following content

You’re receiving this email from Twilio because you’re a current Twilio Programmable Voice SIP Interface and/or Elastic SIP trunking customer that has connected to Twilio using SIP TLS in the past 30 days.
What do you need to know? 
Effective November 1, 2023, Twilio will renew our SIP TLS certificates. The Root Certificate Authority (CA) used for signing our certificates will change, which may impact your service if you haven’t already configured your SIP equipment to trust the new certificates.
If you haven’t already loaded our previous, larger CA bundle on your SIP server(s), you can now download and use our new, smaller CA bundle; this version only contains a few entries and is much easier to load on SIP servers due to its smaller size.
Why is this happening?
We try to keep the same root CA when we renew the TLS certificate used by our SIP infrastructure; however, the latest upgrade has a different root CA than the one we previously used. This is due to our signing authority, Digicert, changing the version of their root CA in accordance with Mozilla’s distrust policy. 
We created a smaller CA bundle because our previous CA bundles contained a large number of root CAs that some SIP servers couldn’t load due to its size.
What do you need to do?

If you’ve already loaded all certificates in Twilio’s previous, larger CA bundle, you can continue to use it on your SIP infrastructure; no further action is needed.

If you use SIP over TLS to connect to Twilio SIP endpoints, connect to any Twilio Edge location other than Ashburn/US1 Public SIP Edge, and you haven’t loaded all certificates from one of our CA bundles, you need to take the following steps before November 1, 2023:
Load the new Twilio CA trust bundle (ca-bundle-sip.crt) in your SIP servers that sit at the edge of your network (such as SBC, or PBX). Review your SIP server’s manual or check with your vendor to learn how to load the CA bundle.
Check your SIP server manual or your vendor to determine which certificates your specific SIP server trusts. Make sure your SIP server trusts these certificates (included in both bundles listed above):
DigiCert Global Root CA
DigiCert Global Root G2
DigiCert Global Root G3
You can monitor the health of your calls using Voice Insights in the Twilio Console.
How can I test if my server is set up correctly?
The Ashburn, Virginia edge location uses the updated DigiCert Global Root G2 root certificate. You can point your SIP server to this edge location using a localized domain, and place test calls. The Twilio SIP URI to send SIP traffic to varies by product, but will be one of the following:
{yourdomain} for Programmable Voice SIP Interface
{yourdomain} for Elastic SIP Trunking
Will the Twilio CA bundle change in the future?
We update bundles when root certificates expire or are deemed untrustworthy by the CA. We’ll contact you via email ahead of any changes, so make sure your Twilio account has accurate contact information.
What if you don’t take action?
If you don’t update your Twilio SIP TLS Certificate by November 1, 2023, your Programmable Voice SIP and Elastic SIP Trunking calls that use TLS for encryption will fail.
For more information about securing your SIP communications with Twilio, review our guides on Elastic SIP trunking and Programmable Voice SIP interfaces.
Team Twilio


; pjsip.conf

; pjsip_wizard.conf


Does this require any action from our side? We are running multiple asterisk installations on AWS on ubuntu 22.04 with Twilio as our SIP trunk provider.

The trunk configuration is using a SSL certificate from Lets Encrypt.
Regards Jerome


Can you try on your test PBX with the test server they provided ie. s/dublin/ashburn/ ?

Also are you specifying in your PJSIP configs ca_list_path or ca_list_file ? And whatabout verify_server ?

Your configuration is set up to skip far-end certificate verification…

verify_client=no verify_server=no

If you don’t verify remote certs then configuring root CAs doesn’t really matter.

  • Darrin

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.