N
Nandita_Chakraborti
The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
If any client application has pinned to the current intermediate CAs listed in the table below, action is required to prevent disruption to connectivity to Azure Storage.
Action Required
How to check
If your client application or networking infrastructure has pinned to any of the certificates listed in the table below, then search your source code for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs. If there is a match, then your application will be impacted, immediate action is required:
Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended not to take dependencies on them and instead pin to the root certificate as it rolls less frequently.
If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.
Certificate Renewal Summary
The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to action required section above to take required steps
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:
Continue reading...
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
If any client application has pinned to the current intermediate CAs listed in the table below, action is required to prevent disruption to connectivity to Azure Storage.
Action Required
- If your client application has pinned to the intermediate CAs, please make sure the Issuing CAs are added to your trusted root store by end of Feb 2024.
- Keep using the current root or intermediate CAs in your applications or devices until the transition period is completed (necessary to prevent connection interruption).
How to check
If your client application or networking infrastructure has pinned to any of the certificates listed in the table below, then search your source code for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs. If there is a match, then your application will be impacted, immediate action is required:
Subject | Thumbprint | Issuer | NotBefore | NotAfter |
CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US | 2F2877C5D778C31E0F29C7E371DF5471BD673173 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2020-07-29 12:30:00.0000000 | 2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 02, O=Microsoft Corporation, C=US | E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2020-07-29 12:30:00.0000000 | 2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 05, O=Microsoft Corporation, C=US | 6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2020-07-29 12:30:00.0000000 | 2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US | 30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2020-07-29 12:30:00.0000000 | 2024-06-27 23:59:59.0000000 |
Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended not to take dependencies on them and instead pin to the root certificate as it rolls less frequently.
If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.
Certificate Renewal Summary
The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to action required section above to take required steps
Subject | Thumbprint | Issuer | NotBefore | NotAfter |
CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US | F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2023-06-08 00:00:00.0000000 | 2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US | BE68D0ADAA2345B48E507320B695D386080E5B25 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2023-06-08 00:00:00.0000000 | 2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US | 3382517058A0C20228D598EE7501B61256A76442 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2023-06-08 00:00:00.0000000 | 2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US | 31600991ED5FEC63D355A5484A6DCC787EAD89BC | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US | 2023-06-08 00:00:00.0000000 | 2026-08-25 23:59:59.0000000 |
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:
- For Issue type, select Technical.
- For Subscription, select your subscription.
- For Service, select My services.
- For Service type, select Blob Storage.
- For Resource, select the Azure resource you are creating a support request for.
- For Summary, type a description of your issue.
- For Problem type, select Connectivity
- For Problem subtype, select Dropped or terminated connections
Continue reading...