Share via

About "Update your trusted root store for Azure Storage services"

加賀崎 隼 185 Reputation points
2023-12-01T01:51:49.92+00:00

I received an email like the one below, but I don't know how to deal with it.

Add the issuing certificate authority to the trusted roots store. Continue to use your current intermediate certificate authority until it is updated.

The email says so, but I don't know how to update this intermediate TLS certificate. Which TLS certificate are you referring to and want to update? There seemed to be no pages related to certificate renewal on the "Storage Browser" screen.

In short, what this email is trying to say is that the intermediate TLS certificate is outdated and we would like you to update it.

ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー

Required action

If you have client applications that have pinned to intermediate certificate authorities, take one of these actions by 29 February 2024 to prevent interruptions to your connections:

Add the issuing certificate authorities to your trusted root store. Keep using the current intermediate certificate authorities until they're updated.

Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.

ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー

Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
239 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,861 questions
0 comments
Accepted answer
  1. Dillon Silzer 54,936 Reputation points
    2023-12-01T01:56:10.4633333+00:00

    Hello,

    If you set this up, I would verify whether you are utilizing Certificate Pinning. "We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). Certificate pinning is no longer considered the best practice. "

    Cited form https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

    More about Certificate Pinning:

    https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning

    Certificate pinning was originally devised as a means of thwarting Man-in-the-Middle (MITM) attacks. Certificate pinning first became popular in 2011 as the result of the DigiNotar Certificate Authority (CA) compromise, where an attacker was able to create wildcard certificates for several high-profile websites including Google. Chrome was updated to "pin" the current certificates for Google's websites and would reject any connection if a different certificate was presented. Even if an attacker found a way to convince a CA into issuing a fraudulent certificate, it would still be recognized by Chrome as invalid, and the connection rejected.

    If this is helpful please accept answer.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest