Starting in Jan 2026, Microsoft will begin introducing new certificates issued by new Subordinate Certificate Authorities (Sub CAs). These new Sub CAs will replace the current ones, which will expire in April 2026.
Starting January 2026, the Azure Instance Metadata Service will start using these new certificates. If your application is impacted, you must update it to use the new Sub CAs by Jan. 1st, 2026.
On April 15, 2026, Mozilla and Chrome will distrust the DigiCert Global Root (the “G1” root). Azure Instance Metadata Service Public certificates will move MicrosoftG2-XS as the Public Issuer instead of MicrosoftXS2028. As a result of these changes new intermediate certificates will be generated.
In addition, following changes will also be made:
- MSPKI and DigiCert certificates no longer have client authentication through Extended Key Usage (EKU).
- The default certificate lifetime is changing from 180 days to 100 days.
Please note, this change spans ALL clouds.
Who will be impacted
If you use the Attested data endpoint in your application and explicitly specify a list of acceptable CAs (a practice known as "certificate pinning"), you or your customers may be impacted. If your application pins Sub CAs, you must update it to use the new Sub CAs by Jan. 1st, 2026, to ensure uninterrupted access to the Attested data endpoints.
To check if you will be impacted by this change, please review the full list of CA certificates used by Azure services, see Azure Certificate Authority details. If any of your current certificates fall into this list, you are impacted, and you will need to add the rest of the certificates listed on this page into your allowed list by Jan. 1st, 2026.
Please note although Azure Instance Metadata Service offers notifications for Certificate Authority changes, we recommend that you evaluate the cost benefit of certificate pinning and discontinue this practice. For further guidance, see Certificate pinning - Certificate pinning and Azure services.
If you are not the application or the marketplace image owner, check the updates from application or image owners who are responsible to determine whether the application or image licensing is impacted.
Action Required
- Please visit the page listed below and review the list of certificates provided. If your current certificate falls into this list, including the root and intermediate certificates, you are impacted. You will need to add the rest of the certificates listed on this page into your allowed list: Azure Certificate Authority details | Microsoft Docs
- Please continue to monitor this page for the updated information and make the adjustment accordingly.
- Keep both the current and newly added root or intermediate CAs in your applications or devices until the transition period is completed by April 2026 (necessary to prevent connection interruption).
- Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended to NOT take dependencies on them and instead pin to the root certificate, as it rolls less frequently.
- If you have an application that integrates with Azure services, or if you get your VM images from Azure marketplace, and you are unsure if it uses certificate pinning with Azure Instance Metadata Service Attested data, check with the application/image owner.
- It is also recommended to create a fallback logic with the certificate pinning process to minimize the future impact of certificate changes.
Help and Support
If you have questions, get answers from community experts here Azure Instance Metadata Service Attested data certificate changes FAQ - Microsoft Q&A.
If you have a support plan and you need technical help, please create a support request following the instructions provided here Azure Virtual Machine support and help options - Azure Virtual Machines | Microsoft Learn
Microsoft
