![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 7.000000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
SQL Server on Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
362 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Are you using Azure VM?
This FAQ will help answer whether you will be impacted or not. Please check.
Will this change affect me?
We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. This practice is known as certificate pinning.
Here are some ways to detect if your application is impacted:
Search your source code for the thumbprint, Common Name, and other cert properties of any of the Microsoft IT TLS CAs found here. If there is a match, then your application will be impacted. To resolve this problem, update the source code include the new CAs. As a best practice, ensure that CAs can be added or edited on short notice. Industry regulations require CA certificates to be replaced within seven days and hence customers relying on pinning need to react swiftly.
If you have an application that integrates with Azure APIs or other Azure services and you are unsure if it uses certificate pinning, check with the application vendor.
Different operating systems and language runtimes that communicate with Azure services may require additional steps to correctly build the certificate chain with these new roots:
Linux: Many distributions require you to add CAs to /etc/ssl/certs. For specific instructions, refer to the distribution’s documentation.
Java: Ensure that the Java key store contains the CAs listed above.
Windows running in disconnected environments: Systems running in disconnected environments will need to have the new roots added to the Trusted Root Certification Authorities store, and the intermediates added to the Intermediate Certification Authorities store.
Android: Check the documentation for your device and version of Android.
Other hardware devices, especially IoT: Contact the device manufacturer.
If you have an environment where firewall rules are set to allow outbound calls to only specific Certificate Revocation List (CRL) download and/or Online Certificate Status Protocol (OCSP) verification locations. You will need to allow the following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
Reference doc: https://learn.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes
----------
Please 'Accept as answer' if it helped, so that it can be beneficial to other community members.