**Reminder** Azure TLS certificate changes

bharathn-msft 5,096 Reputation points Microsoft Employee
2020-10-06T00:42:59.357+00:00

Hello Azure Customers in the community,

For users that implement certificate pinning in their application code there are some Azure TLS certificate changes that could impact some of our customers. Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. To learn more please click here.

For any other further help, please reach out to our Support team via Azure portal. Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,667 questions
{count} votes

21 answers

Sort by: Most helpful
  1. David Bullock 21 Reputation points
    2020-10-20T01:30:13.123+00:00

    For all those worried people, Certificate Pinning is an alternative to trusting Root CA's. Your app (ie. an app that YOU wrote) chooses NOT to trust the Root CA's installed into the operating system's "trusted root certificate authorities", and instead verifies the certificate itself.

    You'll know IF you are doing this: your app is already hard-coded or requires special configuration for the trusted certificates.

    You'll know WHY you are doing this: you don't trust every single Root CA in your operating system's list of Root CA's (who even knows if the ones on your system are the ones that Microsoft put there via updates?!). Your app is security-critical, and it would be negligent of you not to batten down every hatch.

    Chances are high that your app instead trusts the Root CA's that the Operating System trusts. You opt for this convenience so that you don't have to bother with changing the certificate every few years, like this.

    3 people found this answer helpful.

  2. laughey 46 Reputation points
    2020-10-09T12:58:43.62+00:00

    Once again, Microsoft impresses with details pertaining to an upcoming or ongoing change and, at the same time, vagueness to provide adequate direction and ZERO support to meet their timelines.

    I love wasting 3 hours of my day attempting to understand (decode) how this affects me, if at all. As for the mention of needing further assistance, simply open (and pay for) a support ticket...for something Microsoft is doing. Regardless of reason, this position is classless.

    Free Advice: Adjust the fee structure in Azure to include hidden/built-in "basic support" for customers who need it (e.g., this being one such example). Call me silly, but Microsoft includes "support" in their 365 offerings, so why not do this with Azure? After all, 365 does run on Azure, no? GENIUS!

    2 people found this answer helpful.

  3. Manuel Montero 6 Reputation points
    2020-10-13T11:00:50.177+00:00

    Hi @bharathn-msft and thanks for the info.

    We are using GeoTrust certificates in our Application Services as well in our Cloud Services. For those I guess we should not be worried.
    But, where can I confirm we are not using any of the obsolete Certificates?

    1 person found this answer helpful.

  4. Pepe López Rincón 1 Reputation point
    2020-10-09T08:35:58.487+00:00

    I have doubts about if I will be impacted or not. Maybe, you can help me.

    The certificates my apps are using were issued by Go Daddy Secure Certification Authority. Do I have to do any change/update in my certificates/app services?

    Thanks in advance


  5. Mohanty, Vikram 6 Reputation points
    2020-10-09T12:55:06.253+00:00

    I am using Azure Face SDK for Python. Will that be affected? My app seems to be working fine. But I am not sure if I will be impacted or not.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.