Reminder Azure TLS certificate changes

bharathn-msft 5,086 Microsoft Employee

Hello Azure Customers in the community,

For users that implement certificate pinning in their application code there are some Azure TLS certificate changes that could impact some of our customers. Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. To learn more please click here.

For any other further help, please reach out to our Support team via Azure portal. Thank you

Dragos P 1 Reputation point

2020-10-13T09:14:37.507+00:00

what root CA will the azure API use
Hello,
I have some on-prem apps that are consuming an Azure API. It was very hard to identify which certs to add in the on-prem app's trust store already in order to ensure communication between them. Now can you please be more specific regarding which exact root CA will be used by the Azure APIs from the list you shared in the article?

"
TLS certificates used by Azure services will chain up to one of the following Root CAs:

WHAT IS CHANGING?
Common name of the CA Thumbprint (SHA1)
DigiCert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
Baltimore CyberTrust Root d4de20d05e66fc53fe1a50882c78db2852cae474
D-TRUST Root Class 3 CA 2 2009 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
Microsoft RSA Root Certificate Authority 2017 73a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft EV ECC Root Certificate Authority 2017 6b1937abfd64e1e40daf2262a27857c015d6228d
darshani jayasekara 1 Reputation point

2020-10-14T04:06:03.953+00:00

Hi,

We have a couple of Azure app services hosted in Azure, but we do not have explicitly hard-coded trusted root lists in our code. One of the app service use as a Remote event Receiver which triggers by a Sharepoint list.

Could you please let me know if these app services can get impacted by the change?
ccaIT 1 Reputation point

2020-10-14T09:02:52.26+00:00

Hi
Not sure if my org will be impacted by this at all
Using win acme through Azure VM Windows Server 2012 R2 to issue SSL certs
Is there anything I need to action on my end to ensure not issues with our websites?

Thanks in advance
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,326 Reputation points

2020-10-14T15:27:59.483+00:00

if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.
Tijana Kostic 1 Reputation point

2020-10-15T07:48:52.703+00:00

My certificate is issued to me by Microsoft IT TLS CA 5 but it is not Microsoft IT TLS CA 5.crt. The name of my certificate is hardcoded in my code.
Will there be any impact? Thank you for your help!
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-15T16:47:00.51+00:00

Azure services use a variety of PKIs. As described in the update, it's important that your clients trust all of the specified roots to ensure maximum compatibility with Azure services. While the Azure APIs use a particular root today, they may use a different root tomorrow. They may also use different roots based on their geolocation. It's important that your client trusts all the roots and not a specific one to avoid a potential outage.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-15T16:49:09.44+00:00

If you are using ACME, I assume you are getting your certificates for Let's Encrypt. If that's the case, then your services won't be impacted. However, if you are also a client of Azure services, then your client must be updated to trust the roots provided.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-15T16:50:30.507+00:00

Yes, certificates issued by Microsoft IT TLS CA 5 are in scope. You must take action.
Abhishek Singh 1 Reputation point

2020-10-16T11:16:06.7+00:00

We are using Virtual machine using windows and Linux to host our applications and SQL Server for database. Does "Review your Azure Services Certificate Authorities" this impact any of the application or database hosts on azure VM.
Mike Gowing 1 Reputation point

2020-10-16T13:31:47.85+00:00

Does this have an affect on enterprise applications in Azure AD? More specifically around applications we configure SSO for like Salesforce, Adobe Creative Cloud, etc.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-16T16:21:06.55+00:00

Most likely not. If you have an application that calls into any Azure endpoint, you should verify that your application is not doing any certificate pinning. Certificate pinning is the practice of comparing properties of the certificate chain provided by the remote endpoint to a list of expected values. For example, you may have hard coded your application to expect a specific thumbprint, serial number, or common name value from the certificate so that only a specific certificate would be authorized. If you have such a configuration, you must take action.
darshani jayasekara 1 Reputation point

2020-10-19T02:43:13.987+00:00

Thank you for the confirmation.
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-10-19T18:24:21.787+00:00

@Mike Gowing Thank you for reaching out to us. . 3rd party services like Salesforce, Adobe are not impacted, whether or not it's an enterprise app in Azure AD is independent to the issue. Hope this information helps, please feel free to revert back if you have any further queries.
Rakesh Reddykunuthuru (MINDTREE LIMITED) 1 Reputation point

2020-10-20T11:42:50.813+00:00

In Azure portal regarding app services i have no concerns . I have a VM running windows in azure and i host few apps on that VM and for those certificate is provided by GO DADDY.com and we have the certificate service till 2021 by go daddy . Does this TLS certificate changes impact my VM and my app on VM? Awaiting your reply . Hope will get reply soon .

Many thanks .
Rakesh Reddykunuthuru (MINDTREE LIMITED) 1 Reputation point

2020-10-20T12:08:14.333+00:00

In Azure portal regarding app services i have no concerns . I have a VM running windows in azure and i host few apps on that VM and for those certificate is provided by GO DADDY.com and we have the certificate service till 2021 by go daddy . Does this TLS certificate changes impact my VM and my app on VM? Awaiting your reply .
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-20T15:57:23.73+00:00

Certificates issued by GoDaddy are not in scope.
Rakesh Reddykunuthuru (MINDTREE LIMITED) 1 Reputation point

2020-10-20T15:59:34.36+00:00

which means they wont be affected right because of TLS changes? Do we need to check anything?
Philip Salqvist 1 Reputation point

2020-10-20T16:01:10.747+00:00

Hi,

I'm running a powerapps app connected to an Azure database. Does powerapps use certificate pinnings? Will apps running on the powerapps environment be effected by the TLS certificate changes?

Regards, Philip Salqvist
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-20T16:10:41.357+00:00

The services hosted on your VM that use your GoDaddy certificate are not affected and you don't need to do anything for them. However, if your VM has a custom client that consumes other services from Azure via an API, you should check your client code to ensure it either isn't performing certificate pinning or, if it is, that it will accept certs from the complete list of roots provided.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-20T16:15:06.397+00:00

Assuming that you are asking about Microsoft Power Apps on Azure (https://azure.microsoft.com/en-us/products/powerapps/), then there is no action for you. Microsoft Power Apps on Azure does not perform certificate pinning natively.
1stname 2ndname 1 Reputation point

2020-10-23T10:38:29.553+00:00

Hello.
I am using the "Microsoft Translator API" from my on-premises software.
Do I need to change my software with Azure TLS certificate changes?
Thank you for your help.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-23T17:54:04.623+00:00

Most likely not. If you have an application that calls into any Azure endpoint, you should verify that your application is not doing any certificate pinning. Certificate pinning is the practice of comparing properties of the certificate chain provided by the remote endpoint to a list of expected values. For example, you may have hard coded your application to expect a specific thumbprint, serial number, or common name value from the certificate so that only a specific certificate would be authorized. If you have such a configuration, you must take action.
1stname 2ndname 1 Reputation point

2020-10-26T07:52:35.527+00:00

Thanks for the reply.
Let me confirm it a little more.

I am not using private endpoint or service endpoint from the software.
I am using the Microsoft Translator API from the software with a Cognitive service subscription key.
Therefore, it is not necessary to change the software.
Is this perception correct?
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-29T23:48:08.597+00:00

You will be OK.
jwhitlock 1 Reputation point

2020-11-17T22:51:42.517+00:00
We are verifying VMs by inspecting the attested data API. This returns a PKCS#7 message, signed by an included certificate that was issued by one of four "Microsoft IT TLS CA" intermediate certificates, in turn issued by the "Baltimore CyberTrust Root" CA. As announced on Azure TLS Certificate Changes, the Microsoft IT TLS CA certificates will be revoked on February 15, 2021. We are preparing for supporting unknown intermediate certificates that are issued by one of the 6 mentioned CAs.

My questions are:

Is there a planned date that the attested data signing certificate chain will change?

Do you know which root CAs are planned for this purpose? We can support the 5 RSA certificates, but can't yet support the "Microsoft ECC Root Certificate Authority 2017" root CA, as our library doesn't support ECC.
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-11-20T01:38:38.907+00:00

@jwhitlock Thank you for reaching out, to further help can you please help share more information on what specific method name you are referencing with in the API. Looking forward to hear back from you. Thank you
jwhitlock 1 Reputation point

2020-11-20T03:32:55.137+00:00
The attested data API is reachable in a VM at a URL like

Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/attested/document?api-version=2018-10-01&nonce=1234567890"

The return is JSON, partially shown here due to the character limits of this forum, see the attested data API documentation:

{ "encoding":"pkcs7", "signature":"MIIEEgYJKoZIhvcNAQcCoIIEAzCCA/8C..." }

The signature is the PKCS7 signed version of the document. The signing certificate is embedded in the message, and is issued by one of the 4 Microsoft IT TLS CA that are planned to be revoked and replaced.
Quentin Bracken 6 Reputation points

2020-11-20T20:39:03.937+00:00

The Microsoft Azure Attestation API endpoints will remain on the Baltimore CyberTrust Root. They will be moving to one of the new intermediate CAs: Microsoft RSA TLS CA 01 and Microsoft RSA TLS CA 02. The ETA for this change for this specific endpoint is 12/1.

21 answers

David Bullock 21 Reputation points

2020-10-20T01:30:13.123+00:00

For all those worried people, Certificate Pinning is an alternative to trusting Root CA's. Your app (ie. an app that YOU wrote) chooses NOT to trust the Root CA's installed into the operating system's "trusted root certificate authorities", and instead verifies the certificate itself.

You'll know IF you are doing this: your app is already hard-coded or requires special configuration for the trusted certificates.

You'll know WHY you are doing this: you don't trust every single Root CA in your operating system's list of Root CA's (who even knows if the ones on your system are the ones that Microsoft put there via updates?!). Your app is security-critical, and it would be negligent of you not to batten down every hatch.

Chances are high that your app instead trusts the Root CA's that the Operating System trusts. You opt for this convenience so that you don't have to bother with changing the certificate every few years, like this.
Please sign in to rate this answer.

3 people found this answer helpful.
Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-20T16:33:01.01+00:00

Thanks for that explanation. This is why it's so hard for us (Microsoft) to provide specific guidance to our customers for this update. This is a choice made by the application developer and we have no way to identity if a client is pinning or not. As you correctly point out, it's a choice made by the application developer because they need additional checks during authentication and authorization of a session. To make it more challenging, there is no standard way to perform certificate pinning. A developer may choose to pin based off of elements of the leaf certificate like the SHA1 or SHA256 thumbprint, the serial number, the public key, the issuer, and so on. They may choose to pin against a certificate elsewhere in the chain. Fortunately, certificate pinning is not a very common practice.

Thanks again for this write up!

David Bullock 21 Reputation points

2020-10-20T23:37:18.03+00:00

It might be worth underscoring that the advice of the certificate change is only relevant to people who have written code that needs to identify and use Azure servers. Much of the worry is from people who don't have any code of their own to update.

Quentin Bracken 26 Reputation points Microsoft Employee

2020-10-21T16:04:18.497+00:00

That's a good point. However, there are customers who are using third-party provided software. It's not just code developed in house. Customers with third-party clients need to independently verify that those clients are not doing certificate pinning to ensure they don't experience an interruption in service.
Sign in to comment
laughey 31 Reputation points

2020-10-09T12:58:43.62+00:00

Once again, Microsoft impresses with details pertaining to an upcoming or ongoing change and, at the same time, vagueness to provide adequate direction and ZERO support to meet their timelines.

I love wasting 3 hours of my day attempting to understand (decode) how this affects me, if at all. As for the mention of needing further assistance, simply open (and pay for) a support ticket...for something Microsoft is doing. Regardless of reason, this position is classless.

Free Advice: Adjust the fee structure in Azure to include hidden/built-in "basic support" for customers who need it (e.g., this being one such example). Call me silly, but Microsoft includes "support" in their 365 offerings, so why not do this with Azure? After all, 365 does run on Azure, no? GENIUS!
Please sign in to rate this answer.

2 people found this answer helpful.
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-10-09T23:27:08.883+00:00

@laughey - Really appreciate you taking time and sharing your candid and valuable feedback, I have passed on your feedback to our team owning the Azure TLS Certificate change. Will keep you updated as I get more information. Thank you
Sign in to comment
Manuel Montero 6 Reputation points

2020-10-13T11:00:50.177+00:00

Hi @bharathn-msft and thanks for the info.

We are using GeoTrust certificates in our Application Services as well in our Cloud Services. For those I guess we should not be worried.
But, where can I confirm we are not using any of the obsolete Certificates?
Please sign in to rate this answer.

1 person found this answer helpful.
Shashi Shailaj 7,581 Reputation points Microsoft Employee

2020-10-13T18:27:01.6+00:00

@Manuel Montero , You would need to check the code of the applications and the certificate stores on your application servers if any of the related thumbprint are present or not. Or if any intermediate certificate is present which chains up to any of the Root CA certificates listed above For hardening security , sometimes a practice of certificate pinning is used. In this case you can specify a list of Certificate authorities from which the certificates are expected. This will vary service provider to service provider.

1/3

Shashi Shailaj 7,581 Reputation points Microsoft Employee

2020-10-13T18:27:19.677+00:00

For example Lets consider Azure as a service provider in our case. So if you are using Azure Services then Azure will provide you a list of Certificate authorities which issue all certificates(issued by listed certificate authorities) for Azure related services. During secure comminutions using TLS there is a certificate exchange. The Azure service will have a certificate which it will provide to the client(your app server/application/device etc.) and the client will verify whether the certificate is valid or not by searching its own trusted store where it has the root CA certificates(and intermediate CA certificates as well) pre-populated and by verifying the thumbprint and other certificate attributes during the certificate exchange.

2/3

Shashi Shailaj 7,581 Reputation points Microsoft Employee

2020-10-13T18:30:54.79+00:00

Earlier we used to have most of the certificates used by all our services chain up to one single root CA Baltimore CyberTrust Root but now we have 5 more valid Root CAs which will issue certificates to azure assets. So if you were using certificate pinning then you would only trust certificates issued by Baltimore CyberTrust Root CA and if the certificate is issued by any other service the cert exchange will fail and your application will stop any further connection to azure due to this.

For confirming if you are affected or not you will have to scan your application trusted stores for the thumbprints of certificates . If you are using certificate pinning then you may need to allow the new certificates as well. Please check the linked articles.
3/3
Sign in to comment
Pepe López Rincón 1 Reputation point

2020-10-09T08:35:58.487+00:00

I have doubts about if I will be impacted or not. Maybe, you can help me.

The certificates my apps are using were issued by Go Daddy Secure Certification Authority. Do I have to do any change/update in my certificates/app services?

Thanks in advance
Please sign in to rate this answer.
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-10-09T23:23:09.533+00:00

@Pepe López Rincón - Thank you for reaching out, post validation with our internal team it has been called out that in your scenario there shouldn't be any impact because of the Azure TLS Certificate Change.
Sign in to comment
Mohanty, Vikram 6 Reputation points

2020-10-09T12:55:06.253+00:00

I am using Azure Face SDK for Python. Will that be affected? My app seems to be working fine. But I am not sure if I will be impacted or not.
Please sign in to rate this answer.
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-10-09T23:25:03.54+00:00

@Mohanty, Vikram - Thank you for reaching out, I am validating this with our Internal team on your scenario and will get back to you once I have further information.

bharathn-msft 5,086 Reputation points Microsoft Employee

2020-10-13T06:51:24.773+00:00

@Mohanty, Vikram I did hear back from our team and it has been called out that the SDK will not be impacted because of this change and will not need update, since SDK will act as a messenger from Python code to RestAPI.

Hope this information is helpful. Please feel free to revert back if you have any further queries.
Sign in to comment

**Reminder** Azure TLS certificate changes

21 answers

Reminder Azure TLS certificate changes