Azure Storage TLS changes: Intermediate certificate renewals

  • Thread starter Thread starter Nandita_Chakraborti
  • Start date Start date
N

Nandita_Chakraborti

The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.



Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024.

We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.

If any client application has pinned to the current intermediate CAs listed in the table below, action is required to prevent disruption to connectivity to Azure Storage.



Action Required


  • If your client application has pinned to the intermediate CAs, please make sure the Issuing CAs are added to your trusted root store by end of Feb 2024.
  • Keep using the current root or intermediate CAs in your applications or devices until the transition period is completed (necessary to prevent connection interruption).


How to check



If your client application or networking infrastructure has pinned to any of the certificates listed in the table below, then search your source code for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs. If there is a match, then your application will be impacted, immediate action is required:


Subject

Thumbprint

Issuer

NotBefore

NotAfter

CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US

2F2877C5D778C31E0F29C7E371DF5471BD673173

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 02, O=Microsoft Corporation, C=US

E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 05, O=Microsoft Corporation, C=US

6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US

30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000





Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended not to take dependencies on them and instead pin to the root certificate as it rolls less frequently.

If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.



Certificate Renewal Summary



The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to action required section above to take required steps


Subject

Thumbprint

Issuer

NotBefore

NotAfter

CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US

F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US

BE68D0ADAA2345B48E507320B695D386080E5B25

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US

3382517058A0C20228D598EE7501B61256A76442

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US

31600991ED5FEC63D355A5484A6DCC787EAD89BC

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000





Help and support



If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:

  1. For Issue type, select Technical.
  2. For Subscription, select your subscription.
  3. For Service, select My services.
  4. For Service type, select Blob Storage.
  5. For Resource, select the Azure resource you are creating a support request for.
  6. For Summary, type a description of your issue.
  7. For Problem type, select Connectivity
  8. For Problem subtype, select Dropped or terminated connections

Continue reading...
 
Back
Top