Azure IoT TLS: Critical changes are almost here! (…and why you should care)
Published May 27 2021 02:49 PM 104K Views
Microsoft

Updated January 16, 2024 – DPS Baltimore migration schedule has been updated. DPS will begin migration on January 15th, 2024, and conclude on September 30, 2024

 

Updated June 21, 2023 - No longer accepting extension requests for IoT Hub. Only IoT Central apps can now request for extensions.

 

Updated March 15, 2023 - Added migration window for IoT Central Applications.


Updated January 18, 2023 - Added video walking through the timeline and action required.

 

Updated December 20, 2022 - The final Baltimore migration schedule has been published. IoT Hub will begin migration on February 15, 2023, and conclude on October 15, 2023. There will be a 3-month deployment freeze after which DPS will begin migration on January 15, 2024. Azure IoT's Baltimore migration will finally conclude on September 30, 2024. 

 

Updated December 13, 2022 -- The Baltimore migration tool is now available. You can use this tool to migrate from the Baltimore CyberTrust Root to the DigiCert Global G2 Root on your own schedule, before the Microsoft-initiated migration begins on February 15th, 2023. For more information, see: Migrate IoT Hub resources to a new TLS certificate root.

 

Updated May 23, 2022 -- We have updated the test endpoints provided in the "Validation" section below with new SHA-256 based certificates. This will allow constrained devices to be able to continue using SHA-256 during TLS negotiations. Watch this space for updates about the self-migration tool coming soon!

 

Updated April 7, 2022 -- We have decided to postpone the start date of the Azure IoT root certificate migration from June 1st, 2022, to start no earlier than Feb 15th, 2023.

 

In the meantime, we are working on additional features to support you during this migration, including new testing endpoints for SHA-256 and a self-migration tool that you can use to move your own IoT hubs whenever you’re ready. We will continue to use this channel for updates and announcements, so stay tuned.

 

 

This blog post contains important information about TLS certificate changes for Azure IoT Hub and DPS endpoints that will impact IoT device connectivity.

 

In 2020 most Azure services were updated to use TLS certificates from Certificate Authorities (CAs) that chain up to the DigiCert Global G2 root. However, Azure IoT Hub and Device Provisioning Service (DPS), remained on TLS certificates issued by the Baltimore CyberTrust Root. Since Azure IoT Central leverages both Azure IoT Hub and DPS, IoT Central applications are also impacted by this migration. The time has come now to switch from the Baltimore CyberTrust CA Root for Azure IoT Hub and DPS, which will migrate to the DigiCert Global G2 CA root starting on February 15, 2023, and on September 30, 2024. This change is for these services in public Azure cloud and does not impact sovereign clouds.

 

Why is this important? After the migration is complete, devices that don't have DigiCert Global G2 won't be able to connect to Azure IoT anymore. You must make certain your IoT devices include the DigiCert Global G2 root cert by February 15, 2023, to ensure your devices can connect after this change.

 

We expect that many Azure IoT customers have devices which will be impacted by this IoT service root CA update; specifically, smaller, constrained devices that specify a list of acceptable CAs.

 

The following services used by Azure IoT devices will migrate from the Baltimore CyberTrust Root to the DigiCert Global G2 Root starting February 15, 2023, completing on September 30, 2024.

 

  1. Azure IoT Hub: February 15, 2023, to October 15, 2023
  2. Azure IoT Central: May 15, 2023, to October 15, 2023
  3. Azure IoT Hub Device Provisioning Service (DPS): January 15, 2024, to September 30, 2024

If any client application or device does not have the DigiCert Global G2 Root in their Certificate Stores, action is required to prevent disruption of IoT device connectivity to Azure.

 

95twr_1-1704735176922.png

 

 

 

Action Required

 

  1. Keep using Baltimore in your device until the transition period is completed (necessary to prevent connection interruption).
  2. In addition to Baltimore, add the DigiCert Global root G2 to your trusted root store.
  3. Make sure you are not pinning any intermediate or leaf certificates, and are using the public roots to perform TLS server validation.

How to check

 

  1. If your devices use a connection stack other than the ones provided in an Azure IoT SDK, then action is required:
    • To continue without disruption due to this change, Microsoft recommends that client applications or devices trust the DigiCert Global G2 root: DigiCert Global Root G2
    • To prevent future disruption, client applications or devices should also add the following root to the trusted store:
      Microsoft RSA Root Certificate Authority 2017
      (Thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)
  1. If your client applications, devices, or networking infrastructure (e.g. firewalls) perform any sub root validation in code, immediate action is required:
    1. If you have hard coded properties like Issuer, Subject Name, Alternative DNS, or Thumbprint, then you will need to modify this to reflect the properties of the new certificates.
    2. This extra validation, if done, should cover all the certificates to prevent future disruptions in connectivity.
  2. If your devices (a) trust the DigiCert Global G2 root CA among others, (b) depend on the operating system certificate store that has OS updates enabled for getting these roots or (c) use the device/gateway SDKs as provided, then no action is required, but validation of compatibility would be prudent:
    1. Please verify that your respective store contains both the Baltimore and the Global G2 roots for a seamless transition:
      1.      Instructions for Windows here
      2.      Instructions for Ubuntu here
    2. Ensure that the device SDKs in use, if relying on hard coded certificates or on language runtimes have the DigiCert Global G2 root as appropriate.

 

Validation

 

We ask that you perform basic validation to mitigate any unforeseen impact to your IoT devices connecting to Azure IoT Hub and DPS. We are providing test environments for your convenience to verify that your devices can connect before we update these certificates in production environments.

This test can be performed using one of the endpoints provided (one for IoT Hub and one for DPS).

A successful TLS connection to the test environment indicates a positive result outcome – that your infrastructure and devices will work as-is and can connect with these changes. The credentials contain invalid data and are only good to establish a TLS connection, so once that happens any run time operations (e.g. sending telemetry) performed against these services will fail. This is by design since these test resources exist solely for customers to validate device TLS connectivity.

The credentials for the test environments are:

  • IoT Hub endpoint: g2cert.azure-devices.net
  • Connection String: HostName=g2cert.azure-devices.net;DeviceId=TestDevice1;SharedAccessKey=iNULmN6ja++HvY6wXvYW9RQyby0nQYZB+0IUiUPpfec=
  • Device Provisioning Service (DPS):
    • Global Service Endpoint: g2-cert-dps.azure-devices-provisioning.net
    • ID SCOPE:  0ne002B1DF7
    • Registration ID: abc

If the test described above with the TLS connection is not sufficient to validate your scenarios, you can request the creation of devices or enrollments for tests in special canary regions by contacting the Azure support team (see Support below).

The test environments will be available until all public cloud regions have completed their update to the new root CA.

 

Support

 

If you have any technical questions on implementing these changes or to request the creation of your own device or enrollment for tests, please open a support request with the options below and a member from our engineering team will get back to you shortly.

  • Issue Type: Technical
  • Service: Internet of Things/IoT SDKs
  • Problem type: Connectivity
  • Problem subtype: Unable to connect.

 

Baltimore Migration Tool

 

We created a tool in the Azure portal to help you migrate your hubs from the Baltimore CyberTrust Root to the DigiCert Global G2 Root on your own schedule. We recommend the following process for migrating your hubs:

 

1. Confirm that your devices have both roots installed.

2. Migrate your test hubs to the new root to understand the process and confirm that your devices all reconnect.

3. Finally, migrate your production hubs.

 

For more information, see: Migrate IoT Hub resources to a new TLS certificate root.

 

Certificate Summary

 

The table below provides information about the certificates that are being updated. Depending on which certificate your device or gateway clients use for establishing TLS connections, action may be needed to prevent loss of connectivity.

 

Certificate

Current

Post Update (Feb 15, 2023 – Sept 1, 2023)

Action

Root

Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474
Expiration: Monday, May 12, 2025, 4:59:00 PM
Subject Name:
CN = Baltimore CyberTrust Root

OU = CyberTrust
O = Baltimore
C = IE

Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4

Expiration: ‎Friday, ‎January ‎15, ‎2038 5:00:00 AM

Subject Name:

CN = DigiCert Global Root G2

OU = www.digicert.com

O = DigiCert Inc

C = US 

Required

Intermediates

Thumbprints:

 

CN = Microsoft RSA TLS CA 01

Thumbprint: 417e225037fbfaa4f95761d5ae729e1aea7e3a42

----------------------------------------------------

CN = Microsoft RSA TLS CA 02

Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75

----------------------------------------------------

 

Expiration: ‎Tuesday, ‎October ‎8, ‎2024 12:00:00 AM;
Subject Name:

O = Microsoft Corporation

C = US

Thumbprints:

 

Will be provided once the test endpoints are updated. Stay tuned!

----------------------------------------------------

Required

Leaf (IoT Hub)
 

Subject Name:

CN = *.azure-devices.net

Subject Name:
CN = *.azure-devices.net

Required

Leaf (DPS)
 

Subject Name:

CN = *.azure-devices-provisioning.net

Subject Name:
CN = *.azure-devices-provisioning.net

Required

Note: Both the intermediate and leaf certificates are expected to change frequently. We recommend not taking dependencies on them and instead trust the root certificate.

 

107 Comments
Co-Authors
Version history
Last update:
‎Jan 16 2024 09:22 AM
Updated by: