question

bharathn-msft avatar image
bharathn-msft asked ·

**Reminder** Azure TLS certificate changes

Hello Azure Customers in the community,

For users that implement certificate pinning in their application code there are some Azure TLS certificate changes that could impact some of our customers. Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. To learn more please click here.

For any other further help, please reach out to our Support team via Azure portal. Thank you


azure-active-directoryazure-ad-authentication
28 comments
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

what root CA will the azure API use
Hello,
I have some on-prem apps that are consuming an Azure API. It was very hard to identify which certs to add in the on-prem app's trust store already in order to ensure communication between them. Now can you please be more specific regarding which exact root CA will be used by the Azure APIs from the list you shared in the article?

"
TLS certificates used by Azure services will chain up to one of the following Root CAs:

WHAT IS CHANGING?
Common name of the CA Thumbprint (SHA1)
DigiCert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
Baltimore CyberTrust Root d4de20d05e66fc53fe1a50882c78db2852cae474
D-TRUST Root Class 3 CA 2 2009 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
Microsoft RSA Root Certificate Authority 2017 73a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft EV ECC Root Certificate Authority 2017 6b1937abfd64e1e40daf2262a27857c015d6228d

0 Votes 0 · ·

Azure services use a variety of PKIs. As described in the update, it's important that your clients trust all of the specified roots to ensure maximum compatibility with Azure services. While the Azure APIs use a particular root today, they may use a different root tomorrow. They may also use different roots based on their geolocation. It's important that your client trusts all the roots and not a specific one to avoid a potential outage.

0 Votes 0 · ·

Hi,

We have a couple of Azure app services hosted in Azure, but we do not have explicitly hard-coded trusted root lists in our code. One of the app service use as a Remote event Receiver which triggers by a Sharepoint list.

Could you please let me know if these app services can get impacted by the change?

0 Votes 0 · ·
alfredorevilla-msft avatar image alfredorevilla-msft darshanijayasekara-5345 ·

if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.


0 Votes 0 · ·

Thank you for the confirmation.

0 Votes 0 · ·

Hi
Not sure if my org will be impacted by this at all
Using win acme through Azure VM Windows Server 2012 R2 to issue SSL certs
Is there anything I need to action on my end to ensure not issues with our websites?

Thanks in advance

0 Votes 0 · ·

If you are using ACME, I assume you are getting your certificates for Let's Encrypt. If that's the case, then your services won't be impacted. However, if you are also a client of Azure services, then your client must be updated to trust the roots provided.

0 Votes 0 · ·

My certificate is issued to me by Microsoft IT TLS CA 5 but it is not Microsoft IT TLS CA 5.crt. The name of my certificate is hardcoded in my code.
Will there be any impact? Thank you for your help!

0 Votes 0 · ·

Yes, certificates issued by Microsoft IT TLS CA 5 are in scope. You must take action.

0 Votes 0 · ·

We are using Virtual machine using windows and Linux to host our applications and SQL Server for database. Does "Review your Azure Services Certificate Authorities" this impact any of the application or database hosts on azure VM.

0 Votes 0 · ·

Most likely not. If you have an application that calls into any Azure endpoint, you should verify that your application is not doing any certificate pinning. Certificate pinning is the practice of comparing properties of the certificate chain provided by the remote endpoint to a list of expected values. For example, you may have hard coded your application to expect a specific thumbprint, serial number, or common name value from the certificate so that only a specific certificate would be authorized. If you have such a configuration, you must take action.

1 Vote 1 · ·
Show more comments
PepeLpezRincn-0369 avatar image
PepeLpezRincn-0369 answered ·

I have doubts about if I will be impacted or not. Maybe, you can help me.

The certificates my apps are using were issued by Go Daddy Secure Certification Authority. Do I have to do any change/update in my certificates/app services?

Thanks in advance

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PepeLpezRincn-0369 - Thank you for reaching out, post validation with our internal team it has been called out that in your scenario there shouldn't be any impact because of the Azure TLS Certificate Change.

0 Votes 0 · ·
MohantyVikram-2775 avatar image
MohantyVikram-2775 answered ·

I am using Azure Face SDK for Python. Will that be affected? My app seems to be working fine. But I am not sure if I will be impacted or not.

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MohantyVikram-2775 - Thank you for reaching out, I am validating this with our Internal team on your scenario and will get back to you once I have further information.

0 Votes 0 · ·

@MohantyVikram-2775 I did hear back from our team and it has been called out that the SDK will not be impacted because of this change and will not need update, since SDK will act as a messenger from Python code to RestAPI.

Hope this information is helpful. Please feel free to revert back if you have any further queries.

0 Votes 0 · ·
Anuj-5385 avatar image
Anuj-5385 answered ·

I have host IIS websites on Azure VM Windows server 2019. and using SSL of ssl2buy. I just want to know I will be impacted or not.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Anuj-5385 - Thank you for reaching out, post validation with our internal team it has been called out that in your scenario there shouldn't be any impact because of the Azure TLS Certificate Change.

1 Vote 1 · ·
laughey avatar image
laughey answered ·

Once again, Microsoft impresses with details pertaining to an upcoming or ongoing change and, at the same time, vagueness to provide adequate direction and ZERO support to meet their timelines.

I love wasting 3 hours of my day attempting to understand (decode) how this affects me, if at all. As for the mention of needing further assistance, simply open (and pay for) a support ticket...for something Microsoft is doing. Regardless of reason, this position is classless.

Free Advice: Adjust the fee structure in Azure to include hidden/built-in "basic support" for customers who need it (e.g., this being one such example). Call me silly, but Microsoft includes "support" in their 365 offerings, so why not do this with Azure? After all, 365 does run on Azure, no? GENIUS!


1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@laughey - Really appreciate you taking time and sharing your candid and valuable feedback, I have passed on your feedback to our team owning the Azure TLS Certificate change. Will keep you updated as I get more information. Thank you

0 Votes 0 · ·
BogomilAndreev avatar image
BogomilAndreev answered ·

Hi all, I have a question related to certificate changes. Will these services be affected after the change - Storage accounts, App services, Document DBs, and Windows servers? Now they are using old Intermediate CA - Microsoft IT TLS CA 4 and Microsoft IT TLS CA 1. Windows servers are not isolated. Thanks. Regards

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for reaching out @BogomilAndreev , yes those services will incorporate the change. Please let us know if you have any further queries.

0 Votes 0 · ·
KenTrowbridge-1324 avatar image
KenTrowbridge-1324 answered ·

We use GoDaddy as our Certificate Authority.

Will we need to make any changes or updates in our certificates/app services?

Cheers!

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KenTrowbridge-1324 - Thank you for reaching out, post validation with our internal team it has been called out that in your scenario there shouldn't be any impact because of the Azure TLS Certificate Change.

0 Votes 0 · ·
JohnChan-6369 avatar image
JohnChan-6369 answered ·

Is there a way to track when this change will occur and how the roll out will occur? Or has this change already been pushed out?

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JohnChan-6369 - Thank you for reaching out, some Azure services have already completed the change for others are in progress, can we please request your app at the earliest as per the documentation and reach out to us if you see any issue.


0 Votes 0 · ·
DeanChen-8310 avatar image
DeanChen-8310 answered ·

In MS document: https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes, there is one line that says:

• Android: Check the documentation for your device and version of Android.

My question is which version of Android might get impacted if any? We use Android mobile devices around the world.

Thanks,
Dean

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DeanChen-8310 - Thank you for reaching out, I am validating this with our Internal team on your scenario and will get back to you once I have further information.

0 Votes 0 · ·
chiragsharma-0645 avatar image
chiragsharma-0645 answered ·

We use Cloudflare as our Certificate Authority.

Will we need to make any changes or updates in our certificates/app services?

Thanks In Advance

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@chiragsharma-0645 - Thank you for reaching out, in your scenario there shouldn't be any impact because of the Azure TLS Certificate Change.

0 Votes 0 · ·
HenryZaragozaJr-7263 avatar image
HenryZaragozaJr-7263 answered ·

Hello @bharathn-msft , I am new to Azure. I would like to ask/know if these changes will affect the application insights that we are using in azure? Thank you in advance

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @bharathn-msft , I have the same question. I received MS email and says "Your applications may be impacted if you explicitly specify a list of acceptable CAs (a practice known as certificate pinning). " . I am not sure what applications are, but I think I only use Application Insights on Azure.

0 Votes 0 · ·

@henryzaragozajr-7263 @stephenshi-3321 application insights won't get affected.

3 Votes 3 · ·