Updated January 16, 2024 – DPS Baltimore migration schedule has been updated. DPS will begin migration on January 15th, 2024, and conclude on September 30, 2024
Updated June 21, 2023 - No longer accepting extension requests for IoT Hub. Only IoT Central apps can now request for extensions.
Updated March 15, 2023 - Added migration window for IoT Central Applications.
Updated January 18, 2023 - Added video walking through the timeline and action required.
Updated December 20, 2022 - The final Baltimore migration schedule has been published. IoT Hub will begin migration on February 15, 2023, and conclude on October 15, 2023. There will be a 3-month deployment freeze after which DPS will begin migration on January 15, 2024. Azure IoT's Baltimore migration will finally conclude on September 30, 2024.
Updated December 13, 2022 -- The Baltimore migration tool is now available. You can use this tool to migrate from the Baltimore CyberTrust Root to the DigiCert Global G2 Root on your own schedule, before the Microsoft-initiated migration begins on February 15th, 2023. For more information, see: Migrate IoT Hub resources to a new TLS certificate root.
Updated May 23, 2022 -- We have updated the test endpoints provided in the "Validation" section below with new SHA-256 based certificates. This will allow constrained devices to be able to continue using SHA-256 during TLS negotiations. Watch this space for updates about the self-migration tool coming soon!
Updated April 7, 2022 -- We have decided to postpone the start date of the Azure IoT root certificate migration from June 1st, 2022, to start no earlier than Feb 15th, 2023.
In the meantime, we are working on additional features to support you during this migration, including new testing endpoints for SHA-256 and a self-migration tool that you can use to move your own IoT hubs whenever you’re ready. We will continue to use this channel for updates and announcements, so stay tuned.
This blog post contains important information about TLS certificate changes for Azure IoT Hub and DPS endpoints that will impact IoT device connectivity.
In 2020 most Azure services were updated to use TLS certificates from Certificate Authorities (CAs) that chain up to the DigiCert Global G2 root. However, Azure IoT Hub and Device Provisioning Service (DPS), remained on TLS certificates issued by the Baltimore CyberTrust Root. Since Azure IoT Central leverages both Azure IoT Hub and DPS, IoT Central applications are also impacted by this migration. The time has come now to switch from the Baltimore CyberTrust CA Root for Azure IoT Hub and DPS, which will migrate to the DigiCert Global G2 CA root starting on February 15, 2023, and on September 30, 2024. This change is for these services in public Azure cloud and does not impact sovereign clouds.
Why is this important? After the migration is complete, devices that don't have DigiCert Global G2 won't be able to connect to Azure IoT anymore. You must make certain your IoT devices include the DigiCert Global G2 root cert by February 15, 2023, to ensure your devices can connect after this change.
We expect that many Azure IoT customers have devices which will be impacted by this IoT service root CA update; specifically, smaller, constrained devices that specify a list of acceptable CAs.
The following services used by Azure IoT devices will migrate from the Baltimore CyberTrust Root to the DigiCert Global G2 Root starting February 15, 2023, completing on September 30, 2024.
If any client application or device does not have the DigiCert Global G2 Root in their Certificate Stores, action is required to prevent disruption of IoT device connectivity to Azure.
We ask that you perform basic validation to mitigate any unforeseen impact to your IoT devices connecting to Azure IoT Hub and DPS. We are providing test environments for your convenience to verify that your devices can connect before we update these certificates in production environments.
This test can be performed using one of the endpoints provided (one for IoT Hub and one for DPS).
A successful TLS connection to the test environment indicates a positive result outcome – that your infrastructure and devices will work as-is and can connect with these changes. The credentials contain invalid data and are only good to establish a TLS connection, so once that happens any run time operations (e.g. sending telemetry) performed against these services will fail. This is by design since these test resources exist solely for customers to validate device TLS connectivity.
The credentials for the test environments are:
If the test described above with the TLS connection is not sufficient to validate your scenarios, you can request the creation of devices or enrollments for tests in special canary regions by contacting the Azure support team (see Support below).
The test environments will be available until all public cloud regions have completed their update to the new root CA.
If you have any technical questions on implementing these changes or to request the creation of your own device or enrollment for tests, please open a support request with the options below and a member from our engineering team will get back to you shortly.
We created a tool in the Azure portal to help you migrate your hubs from the Baltimore CyberTrust Root to the DigiCert Global G2 Root on your own schedule. We recommend the following process for migrating your hubs:
1. Confirm that your devices have both roots installed.
2. Migrate your test hubs to the new root to understand the process and confirm that your devices all reconnect.
3. Finally, migrate your production hubs.
For more information, see: Migrate IoT Hub resources to a new TLS certificate root.
The table below provides information about the certificates that are being updated. Depending on which certificate your device or gateway clients use for establishing TLS connections, action may be needed to prevent loss of connectivity.
Certificate |
Current |
Post Update (Feb 15, 2023 – Sept 1, 2023) |
Action |
Root |
Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474 OU = CyberTrust |
Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4 Expiration: Friday, January 15, 2038 5:00:00 AM Subject Name: CN = DigiCert Global Root G2 OU = www.digicert.com O = DigiCert Inc C = US |
Required |
Intermediates |
Thumbprints:
CN = Microsoft RSA TLS CA 01 Thumbprint: 417e225037fbfaa4f95761d5ae729e1aea7e3a42 ---------------------------------------------------- CN = Microsoft RSA TLS CA 02 Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75 ----------------------------------------------------
Expiration: Tuesday, October 8, 2024 12:00:00 AM; O = Microsoft Corporation C = US |
Thumbprints:
Will be provided once the test endpoints are updated. Stay tuned! ---------------------------------------------------- |
Required |
Leaf (IoT Hub) |
Subject Name: CN = *.azure-devices.net |
Subject Name: |
Required |
Leaf (DPS) |
Subject Name: CN = *.azure-devices-provisioning.net |
Subject Name: |
Required |
Note: Both the intermediate and leaf certificates are expected to change frequently. We recommend not taking dependencies on them and instead trust the root certificate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.