DigiCert introduced a new CA which reuses the signing key of an existing and still-valid CA. This means there are 2 different CA certificates in circulation, and either can be included in the chain built for a certificate signed by this shared key. Existing certificates declared in Service Fabric clusters by subject with issuer pinning are at risk of spontaneously failing validation.
This issue affects any SF cluster that uses a Cluster certificate that is a DigiCert-issued X509 certificate(s), and which meets both of the following conditions:
b) The cluster certificate is signed by one of the 2 conflicting CAs; you can determine if that is the case either by examining the certificate extensions, or its chain, as follows:
The cluster certificate configuration can be found in the ARM resource of your Service Fabric cluster. If your cluster is not configured using the above properties, you may disregard the rest of this post.
If you have any questions or concerns, please contact us by opening a support request. In addition, here are your general support options for Service Fabric: Learn about Azure Service Fabric Support options - Azure Service Fabric | Microsoft Docs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.