Blog Post

Azure Storage Blog
4 MIN READ

Azure Storage TLS changes: Intermediate certificate renewals

Nandita_Chakraborti's avatar
Sep 21, 2023

The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.

 

Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.

 

We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Please note there is no change to the root certificate – even if the Root certificate CA is pinned, the TLS connection should continue to work as the Root CA certificate is not changing. Intermediate CAs are typically rarely pinned. Intermediate certificates are expected to change more frequently than root certificates. Customers who use certificate pinning are recommended not to take dependencies on intermediate CAs being pinned and instead pin to the root certificate as it rolls less frequently. Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.

 

If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.

 

Action Required

  • Add the issuing intermediate CA Microsoft Azure TLS Issuing CAs to your trusted root store only if your client app pins intermediate CAs. Keep using the current intermediate CAs until the certificates are updated. 

  • Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications. 

How to check

If your client application has pinned to following CAs, we recommend taking the following steps -

Microsoft Azure TLS Issuing CA 01,

Microsoft Azure TLS Issuing CA 02,

Microsoft Azure TLS Issuing CA 05,

Microsoft Azure TLS Issuing CA 06

  • If you're an application developer, search your source code for any of the following references for the CAs that is changing or expiring mentioned in Table1 below. If there's a match and you still have a requirement to continue pinning to intermediate CAs, then to prevent disruption due to this change, update the application to include the new CAs using the table in section "Certificate Renewal Summary".
    • Certificate thumbprints
    • Subject Distinguished Names
    • Common Names
    • Serial numbers
    • Public keys
    • Other certificate properties 
  • If your client application integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the client application vendor.

For more information about the Azure Certificate Authority(CA), please refer to Azure Certificate Authority details | Microsoft Learn

 

Table1

Subject

Thumbprint

Issuer

NotBefore

NotAfter

CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US

2F2877C5D778C31E0F29C7E371DF5471BD673173

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 02, O=Microsoft Corporation, C=US

E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 05, O=Microsoft Corporation, C=US

6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US

30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2020-07-29 12:30:00.0000000

2024-06-27 23:59:59.0000000

 

Certificate Renewal Summary

The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to How to Check section above to take required steps

Subject

Thumbprint

Issuer

NotBefore

NotAfter

CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US

F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US

BE68D0ADAA2345B48E507320B695D386080E5B25

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US

3382517058A0C20228D598EE7501B61256A76442

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US

31600991ED5FEC63D355A5484A6DCC787EAD89BC

CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

2023-06-08 00:00:00.0000000

2026-08-25 23:59:59.0000000

 

 

Help and support

If you have questions, get answers from community experts in Microsoft Q&A. If you need to validate your changes, we can provide a test environment on demand for your convenience to verify prior to March 2024. To request a test storage account, please open a support request with the options below and a member from our engineering team will get back to you.  For any other help from support, please create a support request with the options below too-

  1. For Issue type, select Technical.
  2. For Subscription, select your subscription.
  3. For Service, select My services.
  4. For Service type, select Blob Storage.
  5. For Resource, select the Azure resource you are creating a support request for.
  6. For Summary, enter #storagecertificatetest.
  7. For Problem type, select Connectivity
  8. For Problem subtype, select Dropped or terminated connections  

 

Updated Jan 29, 2024
Version 8.0
  • Hello,

     

    There is a note "networking infrastructure has pinned to any of the certificates". Can somebody give me a hint on how can I check this in my infra?

  • GlennG-TM's avatar
    GlennG-TM
    Copper Contributor

    What's happen if the application is a Microsoft application that actually use one of these intermediate certificates ? Does we will need to reinstall a new version of the application where it will understand new intermediate certificate or pin to root certificates or the actual application will understand the new certificate... because it seem the same one will not be renewed ?

     

    Here, I'm talking about Azure Arc agent for Windows Server 2012 R2 ESU licence mechanism where it use the "CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US" which one will end on June 2024.

  • jasonaliganga's avatar
    jasonaliganga
    Copper Contributor

    Hi, how can I check this?
    Is there any steps on to check and solve the issue?

    Newbie here using azure, thank you.

  • JL-91's avatar
    JL-91
    Copper Contributor

    Does Enterprise Applications include in this?

  • InViCtUs360's avatar
    InViCtUs360
    Copper Contributor

    The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates describe a subset of the requirements that a certification authority must meet in order to issue digital certificates for SSL/TLS servers to be publicly trusted by browsers. Except where explicitly stated otherwise, the requirements apply only to events that occur on or after the requirement’s effective date.

    The requirements do not address all of the issues relevant to the issuance and management of publicly-trusted certificates, and the CA/Browser Forum may update the requirements to address both existing and emerging threats to online security.

    The current version of the requirements only addresses certificates used for authenticating servers accessible through the Internet.  Similar requirements for code signing, S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions.

    The requirements also do not address the issuance, or management of certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only and where the root certificate is not distributed by browsers.

    Vetting of Certificate Applicants pursuant to the Baseline Requirements

    The Baseline Requirements require CAs to verify all contents of a certificate, except information contained in the organizational unit field, a degree of diligence. For certificates issued to domain names only, the CA confirms that, as of the date the Certificate was issued, the applicant either is the registrant of the domain name or has control over the FQDN.  This can be done through an automated, challenge-response email.  A similar requirement applies for verifying the assignment or control of IP addresses.  Certification Authorities issuing organizationally-vetted certificates (certificates with identity information) verify the name and address of the applicant using reliable information sources, such as a government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition or a reliable third party database. The CA also confirms the authenticity of the certificate request through some means of reliable communication with the organization (i.e. they verify that the certificate requester is an authorized employee/agent within the subscribing organization).  For certificates issued to individuals, the CA verifies the individual’s identity using a government-issued photo ID that is inspected for indication of alteration or falsification.

    Since 2012, the Baseline Requirements have been incorporated.