Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,101 questions
AME Root CA is not a trusted authority in Azure VMs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 87%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Ankit Singhal (SPECIAL CLOUD)
1
Reputation point
We are facing an issue with Azure VMs that AME Root certificate is not added as the trusted authority in the Azure VMs and hence certificate load fails when we try to load the valid certs from the local store.
Background:
As part of the certificate management and auto-rotation we have to change the certificate issuers to AME (because in AAD and Geneva, AME is the trusted authority and for allowlisting the certificate based on subject names the cert should be issued by AME).
Also the certificate is installed in the VM but its Root certificate is not installed.
Now, when we try to get the certificate by passing the validOnly flag as true, the certificate load fails :
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, certificateSubject, true);
However installing the Root CA manually and using the same call, certificate is loaded as expected.
Ask:
Can we please check why AME Root is not allowed as the trusted issuer and what is needed to add it has the trusted one in all VMs.
{count} votes
-
vipullag-MSFT 24,026 Reputation points Microsoft Employee2021-06-16T11:30:05.807+00:00 @Ankit Singhal (SPECIAL CLOUD)
This issue needs deeper investigation. Support team will be able to check and help on this. I would recommend you to open a azure support case.
Also, once you get the issue fixed, request you to reply back here on the thread with the resolution steps for the benefit of the community.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 64%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Stephen Dolenc 1 Reputation point2022-01-06T04:58:31.33+00:00 I'm encountering the same problem. How did you manually add AME Root as a trusted Root CA? I'm specifically wondering how to get the .crt file of the AME Root Authority
Sign in to comment