The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Please note there is no change to the root certificate – even if the Root certificate CA is pinned, the TLS connection should continue to work as the Root CA certificate is not changing. Intermediate CAs are typically rarely pinned. Intermediate certificates are expected to change more frequently than root certificates. Customers who use certificate pinning are recommended not to take dependencies on intermediate CAs being pinned and instead pin to the root certificate as it rolls less frequently. Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.
Action Required
How to check
If your client application has pinned to following CAs, we recommend taking the following steps -
Microsoft Azure TLS Issuing CA 01,
Microsoft Azure TLS Issuing CA 02,
Microsoft Azure TLS Issuing CA 05,
Microsoft Azure TLS Issuing CA 06
For more information about the Azure Certificate Authority(CA), please refer to Azure Certificate Authority details | Microsoft Learn
Table1
|
Subject
|
Thumbprint
|
Issuer
|
NotBefore
|
NotAfter
|
|
CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US
|
2F2877C5D778C31E0F29C7E371DF5471BD673173
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2020-07-29 12:30:00.0000000
|
2024-06-27 23:59:59.0000000
|
|
CN=Microsoft Azure TLS Issuing CA 02, O=Microsoft Corporation, C=US
|
E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2020-07-29 12:30:00.0000000
|
2024-06-27 23:59:59.0000000
|
|
CN=Microsoft Azure TLS Issuing CA 05, O=Microsoft Corporation, C=US
|
6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2020-07-29 12:30:00.0000000
|
2024-06-27 23:59:59.0000000
|
|
CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US
|
30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2020-07-29 12:30:00.0000000
|
2024-06-27 23:59:59.0000000
|
Certificate Renewal Summary
The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to How to Check section above to take required steps
|
Subject
|
Thumbprint
|
Issuer
|
NotBefore
|
NotAfter
|
|
CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US
|
F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2023-06-08 00:00:00.0000000
|
2026-08-25 23:59:59.0000000
|
|
CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
|
BE68D0ADAA2345B48E507320B695D386080E5B25
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2023-06-08 00:00:00.0000000
|
2026-08-25 23:59:59.0000000
|
|
CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US
|
3382517058A0C20228D598EE7501B61256A76442
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2023-06-08 00:00:00.0000000
|
2026-08-25 23:59:59.0000000
|
|
CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US
|
31600991ED5FEC63D355A5484A6DCC787EAD89BC
|
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
|
2023-06-08 00:00:00.0000000
|
2026-08-25 23:59:59.0000000
|
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you need to validate your changes, we can provide a test environment on demand for your convenience to verify prior to March 2024. To request a test storage account, please open a support request with the options below and a member from our engineering team will get back to you. For any other help from support, please create a support request with the options below too-
- For Issue type, select Technical.
- For Subscription, select your subscription.
- For Service, select My services.
- For Service type, select Blob Storage.
- For Resource, select the Azure resource you are creating a support request for.
- For Summary, enter #storagecertificatetest.
- For Problem type, select Connectivity
- For Problem subtype, select Dropped or terminated connections
