The following blog containsimportant information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
If any client application has pinned to the current intermediate CAs listed in the table below, action is required to prevent disruption to connectivity to Azure Storage.
Add the issuing certificate authority to your trusted root store.Keep using the current intermediate certificate authorities until they’re updated.
Or,to avoid the effects of this update and future certificate updates, discontinue certificate pinningin your applications.
How to check
If your client application or networking infrastructure has pinned to any of the certificates listed in the table below, then search your source code for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs. If there is a match, then your application will be impacted, immediate action is required:
CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US
Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended not to take dependencies on them and instead pin to the root certificate as it rolls less frequently.
If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.
Certificate Renewal Summary
The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to action required section above to take required steps
CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US