The following blog contains important information about TLS certificate changes for Azure Storage endpoints that may impact client connectivity.
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Please note there is no change to the root certificate – even if the Root certificate CA is pinned, the TLS connection should continue to work as the Root CA certificate is not changing. Intermediate CAs are typically rarely pinned. Intermediate certificates are expected to change more frequently than root certificates. Customers who use certificate pinning are recommended not to take dependencies on intermediate CAs being pinned and instead pin to the root certificate as it rolls less frequently. Certificate pinning is no longer considered the best practice. In scope Azure Storage services include Blob, File, Table, Queue, Static Website, ADLS Gen2. This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.
Add the issuing intermediate CA Microsoft Azure TLS Issuing CAs to your trusted root store only if your client app pins intermediate CAs. Keep using the current intermediate CAs until the certificates are updated.
If your client application has pinned to following CAs, we recommend taking the following steps -
Microsoft Azure TLS Issuing CA 01,
Microsoft Azure TLS Issuing CA 02,
Microsoft Azure TLS Issuing CA 05,
Microsoft Azure TLS Issuing CA 06
If your client application integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the client application vendor.
For more information about the Azure Certificate Authority(CA), please refer to Azure Certificate Authority details | Microsoft Learn
Table1
Subject |
Thumbprint |
Issuer |
NotBefore |
NotAfter |
CN=Microsoft Azure TLS Issuing CA 01, O=Microsoft Corporation, C=US |
2F2877C5D778C31E0F29C7E371DF5471BD673173 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2020-07-29 12:30:00.0000000 |
2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 02, O=Microsoft Corporation, C=US |
E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2020-07-29 12:30:00.0000000 |
2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 05, O=Microsoft Corporation, C=US |
6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2020-07-29 12:30:00.0000000 |
2024-06-27 23:59:59.0000000 |
CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US |
30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2020-07-29 12:30:00.0000000 |
2024-06-27 23:59:59.0000000 |
The table below provides information about the certificates that will roll out starting March 2024, replacing the ones in above table. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity. Please refer to How to Check section above to take required steps
Subject |
Thumbprint |
Issuer |
NotBefore |
NotAfter |
CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US |
F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2023-06-08 00:00:00.0000000 |
2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US |
BE68D0ADAA2345B48E507320B695D386080E5B25 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2023-06-08 00:00:00.0000000 |
2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US |
3382517058A0C20228D598EE7501B61256A76442 |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2023-06-08 00:00:00.0000000 |
2026-08-25 23:59:59.0000000 |
CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US |
31600991ED5FEC63D355A5484A6DCC787EAD89BC |
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
2023-06-08 00:00:00.0000000 |
2026-08-25 23:59:59.0000000 |
If you have questions, get answers from community experts in Microsoft Q&A. If you need to validate your changes, we can provide a test environment on demand for your convenience to verify prior to March 2024. To request a test storage account, please open a support request with the options below and a member from our engineering team will get back to you. For any other help from support, please create a support request with the options below too-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.