Microsoft is making changes to their certificates and it is important to understand how these changes will impact your deployments. Azure will be changed to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements.
Microsoft has said, “This was reported on 1 July 2020 and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the Baltimore CyberTrust Root PKI. Following this change, Azure services will use certificates issued by a different set of CAs (Certificate Authorities), chaining up to different Root CAs.”
When will this change happen?
- Azure Active Directory (Azure AD) services began this transition on July 7, 2020.
- All newly created Azure TLS/SSL endpoints contain updated certificates chaining up to the new Root CAs.
- Existing Azure endpoints will transition in a phased manner beginning August 13, 2020, and complete by October 26, 2020.
- Azure IoT Hub and DPS will remain on Baltimore CyberTrust Root CA but their intermediate CAs will change. Click here for details.
- Azure Storage will remain on Baltimore CyberTrust Root CA but their intermediate CAs will change. Click here for details.
What’s changing?
Today, most of the TLS certificates used by Azure services chain up to the following Root CA:
| Common name of the CA | Thumbprint (SHA1) |
|---|---|
| Baltimore CyberTrust Root | d4de20d05e66fc53fe1a50882c78db2852cae474 |
After the change, the TLS certificates used by Azure services will chain up to one of the following Root CAs:
| Common name of the CA | Thumbprint (SHA1) |
|---|---|
| DigiCert Global Root G2 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| DigiCert Global Root CA | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 |
| Baltimore CyberTrust Root | d4de20d05e66fc53fe1a50882c78db2852cae474 |
| D-TRUST Root Class 3 CA 2 2009 | 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0 |
| Microsoft RSA Root Certificate Authority 2017 | 73a5e64a3bff8316ff0edccc618a906e4eae4d74 |
| Microsoft EV ECC Root Certificate Authority 2017 | 6b1937abfd64e1e40daf2262a27857c015d6228d |
Are you impacted?
If your applications explicitly specify a list of acceptable CAs (a practice known as certificate pinning).
Review the documentation which describes how to check if your application is impacted, and how to mitigate it. It includes the list of all the CAs that you must trust when using Azure services.
If you have questions, get answers from community experts in Microsoft Q&A.
If you have a support plan and you need technical help, please create a support request:
- Under Issue type, select Technical.
- Under Subscription, select your subscription.
- Under Service, select My Services, then select your service for this issue.
- Under Summary, type a description of your issue.
- Under Problem type, select the option that best suits your description.
When can I retire the old intermediate thumbprint?
The current CA certificates will not be revoked until February 15, 2021. After that date, you can remove the old thumbprints from your code.
Warning: All of this will be a breaking change, so make sure to follow up on this one and take action now!
Azure Functions: Extend Execution Timeout Past 5 Minutes
Terraform: If/Else Conditional Resource and Module Deployment
Use Terraform Input Variables to Parameterize Infrastructure Deployments
Azure Resource Naming Conventions and Best Practices
Properly Shutdown Azure VM to Save Money
