Microsoft is making changes to their certificates and it is important to understand how these changes will impact your deployments.  Azure will be changed to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements.

Microsoft has said, “This was reported on 1 July 2020 and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the Baltimore CyberTrust Root PKI. Following this change, Azure services will use certificates issued by a different set of CAs (Certificate Authorities), chaining up to different Root CAs.”

When will this change happen?

  • Azure Active Directory (Azure AD) services began this transition on July 7, 2020.
  • All newly created Azure TLS/SSL endpoints contain updated certificates chaining up to the new Root CAs.
  • Existing Azure endpoints will transition in a phased manner beginning August 13, 2020, and complete by October 26, 2020.
  • Azure IoT Hub and DPS will remain on Baltimore CyberTrust Root CA but their intermediate CAs will change. Click here for details.
  • Azure Storage will remain on Baltimore CyberTrust Root CA but their intermediate CAs will change. Click here for details.

What’s changing?

Today, most of the TLS certificates used by Azure services chain up to the following Root CA:

Common name of the CAThumbprint (SHA1)
Baltimore CyberTrust Rootd4de20d05e66fc53fe1a50882c78db2852cae474

After the change, the TLS certificates used by Azure services will chain up to one of the following Root CAs:

Common name of the CAThumbprint (SHA1)
DigiCert Global Root G2df3c24f9bfd666761b268073fe06d1cc8d4f82a4
DigiCert Global Root CAa8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
Baltimore CyberTrust Rootd4de20d05e66fc53fe1a50882c78db2852cae474
D-TRUST Root Class 3 CA 2 200958e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
Microsoft RSA Root Certificate Authority 201773a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft EV ECC Root Certificate Authority 20176b1937abfd64e1e40daf2262a27857c015d6228d

Are you impacted?

If your applications explicitly specify a list of acceptable CAs (a practice known as certificate pinning).

Review the documentation which describes how to check if your application is impacted, and how to mitigate it. It includes the list of all the CAs that you must trust when using Azure services.

If you have questions, get answers from community experts in Microsoft Q&A.

If you have a support plan and you need technical help, please create a support request:

  1. Under Issue type, select Technical.
  2. Under Subscription, select your subscription.
  3. Under Service, select My Services, then select your service for this issue.
  4. Under Summary, type a description of your issue.
  5. Under Problem type, select the option that best suits your description.

When can I retire the old intermediate thumbprint?

The current CA certificates will not be revoked until February 15, 2021. After that date, you can remove the old thumbprints from your code.

Warning: All of this will be a breaking change, so make sure to follow up on this one and take action now!

Microsoft MVP

Dan Patrick is the Chief Infrastructure Architect for Solliance and a 15 year veteran at Microsoft. He has an extensive background in IT Infrastructure and Operations. Dan has both architected and lead teams building and supporting some of the largest service providers in North America with as many 15,000 Windows Servers and 120 million endpoints. Dan has worked with Azure IaaS solutions extensively since 2012. He has a passion for Virtualization with deep experience leveraging Hyper-V, Vmware, and Citrix. He is also a Clustering specialist focusing on large host clusters and SQL Always On Availability Groups. Recently Dan, authored the Networking, Azure Active Directory and Containers portion of the 70-533 Exam Reference for Microsoft Press. You can follow him on Twitter @deltadan