This blog contains important information about TLS certificate changes for Azure Cache for Redis endpoints that may impact client connectivity.
In 2020, most Azure services were updated to use TLS certificates from Certificate Authorities (CAs) that chain up to the DigiCert Global G2 root. However, Azure Cache for Redis, remained on TLS certificates issued by the Baltimore CyberTrust Root. Because the current Baltimore CyberTrust Root will expire in May 2025, now is the time for Azure Cache for Redis to switch to the DigiCert Global G2 CA Root*. The migration will start in May 2022, and finish by the end of June 2022 for public Azure cloud. For Azure Government regions, the migration is expected to start in July 2022, and complete by end of July 2022.
We expect that most Azure Cache for Redis customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). This change is limited to the public Azure cloud and Azure Government cloud. There are no changes in Azure sovereign cloud offerings.
If any of your client applications are pinned to the root CA Baltimore CyberTrust Root or current intermediate CAs listed in the table below, immediate action is required to prevent disruption to connectivity to Azure Cache for Redis.
* Other Azure service TLS certificates may be issued by a different PKI. *
Overview of Action Required
How to check if your client application is affected
Check if your application has pinned to
Search your source code for the thumbprint, Common Name, and other cert properties of any of the root CA or intermediate CAs. If there is a match, then your application will be impacted, immediate action is required.
Some more ways to detect if your application is affected as described here: Azure TLS Certificate Changes | Microsoft Docs
Action required
1. To continue without disruption due to this change, Microsoft recommends that, in addition to Baltimore, client applications or devices trust the root CA – DigiCert Global Root G2:
DigiCert Global Root G2
(Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4)
Intermediate certificates are expected to change more frequently than the root CAs. Customers who use certificate pinning are recommended to not take dependencies on them and instead pin to the root certificate as it rolls less frequently.
2. To prevent future disruption, you should also add the following roots to the trusted store. This will save you from the allowlist effort in near future if you add the recommended root CAs now:
3. If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent future disruption, you should also add the intermediate Microsoft Azure ECC TLS CAs listed in the table below to the trusted store.
List of possible Root CAs is available here: Azure TLS Certificate Changes | Microsoft Docs
Support
If you have any questions, get answers from community experts in Microsoft Q&A. If you have completed step 1 and need technical help, please open a support request with the options below and a member from our engineering team will get back to you.
Certificate Renewal Summary
The table below provides information about the certificates that are being rolled out. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity.
Certificate |
Current |
Post Rollover (May 2022) |
Action |
Root |
Thumbprint (SHA1): d4de20d05e66fc53fe1a50882c78db2852cae474 OU = CyberTrust |
Thumbprint (SHA1): df3c24f9bfd666761b268073fe06d1cc8d4f82a4 Expiration: Friday, January 15, 2038 5:00:00 AM |
Required by April 30, 2022 |
Root |
|
Thumbprint (SHA1):
Thumbprint (SHA1):
Thumbprint (SHA1):
|
Recommended to prevent disruption |
Intermediates |
Thumbprints (SHA1):
CN = Microsoft RSA TLS CA 01 Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a
CN = Microsoft RSA TLS CA 02 Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75
Expiration: Tuesday, October 8, 2024 12:00:00 AM. O = Microsoft Corporation C = US |
Thumbprints (SHA1):
CN = Microsoft Azure TLS Issuing CA 01 b9ed88eb05c15c79639493016200fdab08137af3
CN = Microsoft Azure TLS Issuing CA 02 Thumbprint: c5fb956a0e7672e9857b402008e7ccad031f9b08
CN = Microsoft Azure TLS Issuing CA 05 Thumbprint: 56f1ca470bb94e274b516a330494c792c419cf87
CN = Microsoft Azure TLS Issuing CA 06 Thumbprint: 8f1fd57f27c828d7be29743b4d02cd7e6e5f43e6
Expiration: Thursday, June 27, 2024 4:59:59 PM; Issuer = Microsoft RSA Root Certificate Authority 2017 O = Microsoft Corporation C = US
-------------------------------------------------------
CN = Microsoft Azure TLS Issuing CA 01 2f2877c5d778c31e0f29c7e371df5471bd673173
CN = Microsoft Azure TLS Issuing CA 02 Thumbprint: e7eea674ca718e3befd90858e09f8372ad0ae2aa
CN = Microsoft Azure TLS Issuing CA 05 6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5
CN = Microsoft Azure TLS Issuing CA 06 Thumbprint: 30e01761ab97e59a06b41ef20af6f2de7ef4f7b0
Expiration: Thursday, June 27, 2024 4:59:59 PM; Issuer = DigiCert Global Root G2 O = DigiCert Inc C = US
|
Required by April 30, 2022 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.