Hi,
We are using Azure IoT Hub service on our IoT device with self signed device certificate(even though this is irrelevant) and we are not using the Azure IoT SDK, we have our own trustore, not using the OS provided trustore, in our trustore we have Baltimore CyberTrust Root having Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474 and Expiration: Monday, May 12, 2025, 4:59:00 PM, we are not using any intermediate certificate for the TLS communication.
As I can understand there is no impact currently but my worry is, what happens once the Baltimore CyberTrust Root get expired on Monday, May 12, 2025, 4:59:00 PM? what is the future plan? which will be the new ROOT CA?.
As mentioned/recommended in the post, we have to use additional below mentioned ROOT CA's in IoT devices
- http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
(Thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74) - https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
(Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4)
What is the guarantee that post Baltimore CyberTrust Root expiration, new server certificate issued on Azure IoT Hub is either one from above mentioned ROOT CA's.
Our IoT devices are expected to be operational beyond 2025 and we can not replace or add new ROOT CA's in our device by physically or remotely. Post Baltimore CyberTrust Root expiration in case IoT Hub server certificate is issued by some other ROOT CA then our device will become non operational.
Kindly suggest the best way to address this issue.
Currently do we have any provision to use the server certificate issued by our own private KMS/self signed on the Azure IoT Hub service?
Thank you!