[Update 5/27/2021: We have published a new blog post with more up-to-date guidance. Please read the new one here]
Microsoft is updating Azure services in a phased manner to use TLS server certificates from a different set of Certificate Authorities (CAs) beginning August 13, 2020 and concluding approximately on November 16, 2020. We expect that most Azure IoT customers that interact with IoT Hub and DPS will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). This change is limited to services in public Azure cloud and no sovereign cloud like Azure China.
This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. This was reported on July 1, 2020 and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the "Baltimore CyberTrust Root" PKI.
The following services used by Azure IoT devices will remain chained to the Baltimore CyberTrust Root*, but their TLS server certificates will be issued by new Intermediate Certificate Authorities (ICAs) starting October 5, 2020 progressing regionally on a measured deployment schedule:
If any client application or device has pinned to an Intermediate CA or leaf certificate rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption of IoT device connectivity to Azure.
* Other Azure service TLS certificates may be issued by a different PKI.
The table below provides information about the certificates that are being rolled. Depending on which certificate your device or gateway clients use for establishing TLS connections, action may be needed to prevent loss of connectivity.
Certificate |
Current |
Post Rollover (Oct 5, 2020) |
Action |
Root |
Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474 OU = CyberTrust |
Not Changing |
None |
Intermediates |
Thumbprints:
CN = Microsoft IT TLS CA 1 Thumbprint: 417e225037fbfaa4f95761d5ae729e1aea7e3a42 ---------------------------------------------------- CN = Microsoft IT TLS CA 2 Thumbprint: 54d9d20239080c32316ed9ff980a48988f4adf2d ---------------------------------------------------- CN = Microsoft IT TLS CA 4 Thumbprint: 8a38755d0996823fe8fa3116a277ce446eac4e99 ---------------------------------------------------- CN = Microsoft IT TLS CA 5 Thumbprint: Ad898ac73df333eb60ac1f5fc6c4b2219ddb79b7 ----------------------------------------------------
Expiration: Friday, May 20, 2024 5:52:38 AM OU = Microsoft IT O = Microsoft Corporation L = Redmond S = Washington C = US |
Thumbprints:
CN = Microsoft RSA TLS CA 01 Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a ---------------------------------------------------- CN = Microsoft RSA TLS CA 02 Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75 ----------------------------------------------------
Expiration: Tuesday, October 8, 2024 12:00:00 AM; O = Microsoft Corporation C = US |
Required |
Leaf (IoT Hub) |
Thumbprint: 8b1a359705188c5577cb2dcd9a06331807c0bb97 Subject Name: CN = *.azure-devices.net |
Thumbprint: Varies |
Required |
Leaf (DPS) |
Thumbprint: f568f692f3274ecbb479c94272d6f3344a3f0247 Subject Name: CN = *.azure-devices-provisioning.net |
Thumbprint: Varies |
Required |
Note: Both the intermediate and leaf certificates are expected to change frequently. We recommend not taking dependencies on them and instead pinning the root certificate as it rolls less frequently.
Update: The validation endpoints that were set up to facilitate testing of your devices against the new Intermediate CAs are no longer valid. If you are experiencing issues that surfaced after November 2020, please open a support request and describe the issue per the support section below.
We recommend performing some basic validation to mitigate any unintentional impact to your IoT infrastructure connecting to Azure IoT Hub and DPS. We have set up a test environment for your convenience to try out before we roll these certificates in production environments. The connection strings for this test environment are given below:
A successful TLS connection to the test environment indicates a positive test outcome - that your infrastructure will work as is with these changes. The test connection string for IoT Hub contains an invalid key, so once the TLS connection has been established, any run time operations performed against this test IoT Hub will fail. For DPS, since your device has not been formally enrolled in this specific DPS instance, it is expected to get an authorization error. This is by design since these resources exist solely for customers to validate their TLS connectivity. The test environment will be available until all public cloud regions have been updated.
If you have any technical questions on implementing these changes or help in performing validation in the test environment, please open a support request with the options below and a member from our engineering team will get back to you shortly.
Fig 1: Sample support request
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.