%3CLINGO-SUB%20id%3D%22lingo-sub-1557169%22%20slang%3D%22en-US%22%3EKnown%20issue%3A%20Azure%20Sphere%20tenant%20CA%20certificate%20rotation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557169%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EWhat%20is%20the%20issue%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20discovered%20an%20issue%20that%20affects%20verification%20of%20tenant%20certificates%20and%20we%20are%20resolving%20this%20by%20renewing%20the%20tenant%20CA%20certificates%20for%20all%20impacted%20tenants.%20As%20described%20in%20the%20blog%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Finternet-of-things%2Fazure-sphere-tenant-ca-certificate-management-certificate%2Fbc-p%2F1553749%23M180%22%20target%3D%22_blank%22%3EAzure%20Sphere%20tenant%20CA%20certificate%20management%3A%20certificate%20rotation%3C%2FA%3E%2C%20the%20Azure%20Sphere%20tenant%20certificate%20authority%20(CA)%20certificates%20that%20were%20issued%20two%20years%20ago%20are%20being%20automatically%20renewed.%20The%20Azure%20Sphere%2020.07%20SDK%2C%20released%20on%20July%2029%2C%202020%2C%20supports%20features%20with%20which%20you%20can%20download%20the%20renewed%20certificates%20for%20your%20tenants.%20For%20certificates%20created%20between%20June%2016%2C%202020%2021%3A00%20UTC%2C%20and%20July%26nbsp%3B28%2C%26nbsp%3B2020%2000%3A15%20UTC%2C%20verification%20using%20OpenSSL%20may%20fail.%20The%20failure%20is%20due%20to%20a%20mismatched%20signature%20algorithm%20identifier%20in%20the%20certificate.%20The%20error%20does%20not%20compromise%20the%20security%20of%20these%20certificates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWho%20is%20impacted%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20the%20tenant%20CA%20certificate%20issuance%20date%20is%20after%20June%2016%2C%202020%20%3CSTRONG%3Eand%3C%2FSTRONG%3E%20before%20July%2028%2C%202020%2C%20the%20tenant%20CA%20certificate%20may%20fail%20to%20verify%20with%20OpenSSL.%20The%20Azure%20Sphere%20Security%20Service%20will%20renew%20and%20activate%20all%20impacted%20certificates%20as%20a%20corrective%20measure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20actions%20should%20you%20take%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3E%3CSTRONG%3ECondition%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3E%3CSTRONG%3EInstructions%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EYou%20%3CSTRONG%3Ehave%20not%20%3C%2FSTRONG%3Edownloaded%20the%20tenant%20CA%20certificate%20or%20tenant%20CA%20certificate%20chain%20that%20was%20issued%20between%20June%2016%2C%202020%20and%20July%2028%2C%202020%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E(If%20you%20run%20%E2%80%98azsphere%20ca%20list%E2%80%99%20in%20your%20Azure%20Sphere%20Development%20command%20prompt%2C%20you%20will%20see%20this%20issue%20date%20listed%20as%20%E2%80%9CStart%20date%E2%80%9D)%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EYou%20don%E2%80%99t%20have%20any%20actions%20to%20take%20and%20these%20instructions%20don%E2%80%99t%20apply%20to%20you.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EYou%20%3CSTRONG%3Ehave%3C%2FSTRONG%3E%20downloaded%20the%20tenant%20CA%20certificate%20or%20tenant%20CA%20certificate%20chain%20that%20was%20issued%20between%20June%2016%2C%202020%20and%20July%2028%2C%202020%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EBetween%20August%205%2C%202020%20and%20August%2018%2C%202020%2C%20please%20follow%20the%20instructions%20below%20to%20ensure%20that%20there%20is%20no%20break%20in%20service.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERun%20%E2%80%98azsphere%20ca%20list%E2%80%99%20in%20your%20Azure%20Sphere%20Development%20command%20prompt%3C%2FLI%3E%0A%3CLI%3EUse%20the%20most%20recent%20certificate%20to%20register%20with%20Azure%20IoT%20Hub%2FCentral%20or%20other%20third-party%20resources%20following%20instructions%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-sphere%2Fdeployment%2Ftenant-cert%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20tenants%20that%20are%20impacted%20by%20this%20issue%2C%20the%20new%20and%20valid%20tenant%20CA%20certificates%20will%20be%20created%20by%20August%205%2C%202020.%20The%20new%20certificates%20will%20be%20activated%20after%20August%2018%2C%202020.%20If%20you%20have%20any%20additional%20questions%2C%20please%20reach%20out%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure-sphere%2Fresources%2Fsupport%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Support%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDocumentation%20Resources%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure-sphere%2Fdeployment%2Ftenant-cert%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EManage%20the%20tenant%20CA%20certificate%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Setup%20the%20tenant%20CA%20certificate%20in%20Azure%20IoT%20Hub%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Setup%20the%20tenant%20CA%20certificate%20in%20Azure%20IoT%20Central%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Learn%20more%20about%20rolling%20certificates%20in%20Azure%20IoT%20Hub%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1557169%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20discovered%20an%20issue%20that%20affects%20verification%20of%20tenant%20certificates%20and%20we%20are%20resolving%20this%20by%20renewing%20the%20tenant%20CA%20certificates%20for%20all%20impacted%20tenants.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1557169%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20sphere%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eazure%20sphere%20updates%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583269%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%3A%20Azure%20Sphere%20tenant%20CA%20certificate%20rotation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583269%22%20slang%3D%22en-US%22%3E%3CP%3EIf%205%2FAugust%20is%20an%20project%20internal%20date%20bearing%20no%20consequence%20to%20an%20external%20user%2C%20maybe%20it%20would%20be%20better%20to%20leave%20it%20out%20of%20the%20article.%20It%20just%20serves%20to%20confuse%20a%20reader%20looking%20to%20fix%20the%20issue.%20Example%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-sphere-samples%2Fissues%2F155%23issuecomment-672105045%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-sphere-samples%2Fissues%2F155%23issuecomment-672105045%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20ofcourse%2C%20if%20it%20has%20a%20consequence%2C%20keep%20it%20in%20the%20article.%20But%20it%20does%20not%20appear%20so.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

What is the issue?

We discovered an issue that affects verification of tenant certificates and we are resolving this by renewing the tenant CA certificates for all impacted tenants. As described in the blog Azure Sphere tenant CA certificate management: certificate rotation, the Azure Sphere tenant certificate authority (CA) certificates that were issued two years ago are being automatically renewed. The Azure Sphere 20.07 SDK, released on July 29, 2020, supports features with which you can download the renewed certificates for your tenants. For certificates created between June 16, 2020 21:00 UTC, and July 28, 2020 00:15 UTC, verification using OpenSSL may fail. The failure is due to a mismatched signature algorithm identifier in the certificate. The error does not compromise the security of these certificates.

 

Who is impacted?

If the tenant CA certificate issuance date is after June 16, 2020 and before July 28, 2020, the tenant CA certificate may fail to verify with OpenSSL. The Azure Sphere Security Service will renew and activate all impacted certificates as a corrective measure.

 

What actions should you take?

Condition

Instructions

You have not downloaded the tenant CA certificate or tenant CA certificate chain that was issued between June 16, 2020 and July 28, 2020

 

(If you run ‘azsphere ca list’ in your Azure Sphere Development command prompt, you will see this issue date listed as “Start date”)

You don’t have any actions to take and these instructions don’t apply to you.

You have downloaded the tenant CA certificate or tenant CA certificate chain that was issued between June 16, 2020 and July 28, 2020

Between August 5, 2020 and August 18, 2020, please follow the instructions below to ensure that there is no break in service.

  • Run ‘azsphere ca list’ in your Azure Sphere Development command prompt
  • Use the most recent certificate to register with Azure IoT Hub/Central or other third-party resources following instructions here

 

 

For tenants that are impacted by this issue, the new and valid tenant CA certificates will be created by August 5, 2020. The new certificates will be activated after August 18, 2020. If you have any additional questions, please reach out to Microsoft Support.

 

Documentation Resources:

1 Comment
Occasional Visitor

If 5/August is an project internal date bearing no consequence to an external user, maybe it would be better to leave it out of the article. It just serves to confuse a reader looking to fix the issue. Example: https://github.com/Azure/azure-sphere-samples/issues/155#issuecomment-672105045

 

But ofcourse, if it has a consequence, keep it in the article. But it does not appear so.