Updated May 23, 2022 -- We have updated the test endpoints provided in the "Validation" section below with new SHA-256 based certificates. This will allow constrained devices to be able to continue using SHA-256 during TLS negotiations. Watch this space for updates about the self-migration tool coming soon!
Updated April 7, 2022 -- We have decided to postpone the start date of the Azure IoT root certificate migration from June 1st, 2022, to start no earlier than Feb 15th, 2023.
In the meantime, we are working on additional features to support you during this migration, including new testing endpoints for SHA-256 and a self-migration tool that you can use to move your own IoT hubs whenever you’re ready. We will continue to use this channel for updates and announcements, so stay tuned.
This blog post contains important information about TLS certificate changes for Azure IoT Hub and DPS endpoints that will impact IoT device connectivity.
In 2020 most Azure services were updated to use TLS certificates from Certificate Authorities (CAs) that chain up to the DigiCert Global G2 root. However, Azure IoT Hub and Device Provisioning Service (DPS), remained on TLS certificates issued by the Baltimore CyberTrust Root. The time has come now to switch from the Baltimore CyberTrust CA Root for Azure IoT Hub and DPS, which will migrate to the DigiCert Global G2 CA root starting in February 2023, and finish by or before September 2023. This change is for these services in public Azure cloud and does not impact sovereign clouds.
Why is this important? After the migration is complete, devices that don't have DigiCert Global G2 won't be able to connect to Azure IoT anymore. You must make certain your IoT devices include the DigiCert Global G2 root cert by February 15, 2023, to ensure your devices can connect after this change.
We expect that many Azure IoT customers have devices which will be impacted by this IoT service root CA update; specifically, smaller, constrained devices that specify a list of acceptable CAs.
The following services used by Azure IoT devices will migrate from the Baltimore CyberTrust Root to the DigiCert Global G2 Root starting February 15, 2023, completing on or before September 2023.
Azure IoT Hub
Azure IoT Hub Device Provisioning Service (DPS)
If any client application or device does not have the DigiCert Global G2 Root in their Certificate Stores, action is required to prevent disruption of IoT device connectivity to Azure.
Keep using Baltimore in your device until the transition period is completed (necessary to prevent connection interruption).
If your client applications, devices, or networking infrastructure (e.g. firewalls) perform any sub root validation in code, immediate action is required:
If you have hard coded properties like Issuer, Subject Name, Alternative DNS, or Thumbprint, then you will need to modify this to reflect the properties of the new certificates.
This extra validation, if done, should cover all the certificates to prevent future disruptions in connectivity.
If your devices (a) trust the DigiCert Global G2 root CA among others, (b) depend on the operating system certificate store that has OS updates enabled for getting these roots or (c) use the device/gateway SDKs as provided, then no action is required, but validation of compatibility would be prudent:
Please verify that your respective store contains both the Baltimore and the Global G2 roots for a seamless transition:
Ensure that the device SDKs in use, if relying on hard coded certificates or on language runtimes have the DigiCert Global G2 root as appropriate.
We ask that you perform basic validation to mitigate any unforeseen impact to your IoT devices connecting to Azure IoT Hub and DPS. We are providing test environments for your convenience to verify that your devices can connect before we update these certificates in production environments.
This test can be performed using one of the endpoints provided (one for IoT Hub and one for DPS).
A successful TLS connection to the test environment indicates a positive result outcome – that your infrastructure and devices will work as-is and can connect with these changes. The credentials contain invalid data and are only good to establish a TLS connection, so once that happens any run time operations (e.g. sending telemetry) performed against these services will fail. This is by design since these test resources exist solely for customers to validate device TLS connectivity.
Global Service Endpoint: g2-cert-dps.azure-devices-provisioning.net
ID SCOPE: 0ne002B1DF7
Registration ID: abc
If the test described above with the TLS connection is not sufficient to validate your scenarios, you can request the creation of devices or enrollments for tests in special canary regions by contacting the Azure support team (see Support below).
The test environments will be available until all public cloud regions have completed their update to the new root CA.
If you have any technical questions on implementing these changes or to request the creation of your own device or enrollment for tests, please open a support request with the options below and a member from our engineering team will get back to you shortly.
Issue Type: Technical
Service: Internet of Things/IoT SDKs
Problem type: Connectivity
Problem subtype: Unable to connect.
The table below provides information about the certificates that are being updated. Depending on which certificate your device or gateway clients use for establishing TLS connections, action may be needed to prevent loss of connectivity.