The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.

Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.

We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Please note there is no change to the root certificate – even if the Root certificate CA is pinned, the TLS connection should continue to work as the Root CA certificate is not changing. Intermediate CAs are typically rarely pinned. Intermediate certificates are expected to change more frequently than root certificates. Customers who use certificate pinning are recommended not to take dependencies on intermediate CAs being pinned and instead pin to the root certificate as it rolls less frequently. Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.

If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.

Action Required

• Add the issuing intermediate CA Microsoft Azure TLS Issuing CAs to your trusted root store only if your client app pins intermediate CAs. Keep using the current intermediate CAs until the certificates are updated. 

• Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications. 

How to check

If your client application has pinned to following CAs, we recommend taking the following steps -

Microsoft Azure TLS Issuing CA 01,

Microsoft Azure TLS Issuing CA 02,

Microsoft Azure TLS Issuing CA 05,

Microsoft Azure TLS Issuing CA 06

• If you're an application developer, search your source code for any of the following references for the CAs that is changing or expiring mentioned in Table1 below. If there's a match and you still have a requirement to continue pinning to intermediate CAs, then to prevent disruption due to this change, update the application to include the new CAs using the table in section "Certificate Renewal Summary".
  
  • Certificate thumbprints
  • Subject Distinguished Names
  • Common Names
  • Serial numbers
  • Public keys
  • Other certificate properties 

• If your client application integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the client application vendor.

For more information about the Azure Certificate Authority(CA), please refer to Azure Certificate Authority details | Microsoft Learn

Table1

Certificate Renewal Summary

The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to How to Check section above to take required steps

Help and support

If you have questions, get answers from community experts in Microsoft Q&A. If you need to validate your changes, we can provide a test environment on demand for your convenience to verify prior to March 2024. To request a test storage account, please open a support request with the options below and a member from our engineering team will get back to you.  For any other help from support, please create a support request with the options below too-

1. For Issue type, select Technical.
2. For Subscription, select your subscription.
3. For Service, select My services.
4. For Service type, select Blob Storage.
5. For Resource, select the Azure resource you are creating a support request for.
6. For Summary, enter #storagecertificatetest.
7. For Problem type, select Connectivity
8. For Problem subtype, select Dropped or terminated connections