This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Azure Customers in the community,
For users that implement certificate pinning in their application code there are some Azure TLS certificate changes that could impact some of our customers. Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. To learn more please click here.
For any other further help, please reach out to our Support team via Azure portal. Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 55.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
what root CA will the azure API use
Hello,
I have some on-prem apps that are consuming an Azure API. It was very hard to identify which certs to add in the on-prem app's trust store already in order to ensure communication between them. Now can you please be more specific regarding which exact root CA will be used by the Azure APIs from the list you shared in the article?
"
TLS certificates used by Azure services will chain up to one of the following Root CAs:
WHAT IS CHANGING?
Common name of the CA Thumbprint (SHA1)
DigiCert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
Baltimore CyberTrust Root d4de20d05e66fc53fe1a50882c78db2852cae474
D-TRUST Root Class 3 CA 2 2009 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
Microsoft RSA Root Certificate Authority 2017 73a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft EV ECC Root Certificate Authority 2017 6b1937abfd64e1e40daf2262a27857c015d6228d
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 87%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Hi,
We have a couple of Azure app services hosted in Azure, but we do not have explicitly hard-coded trusted root lists in our code. One of the app service use as a Remote event Receiver which triggers by a Sharepoint list.
Could you please let me know if these app services can get impacted by the change?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 99%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi
Not sure if my org will be impacted by this at all
Using win acme through Azure VM Windows Server 2012 R2 to issue SSL certs
Is there anything I need to action on my end to ensure not issues with our websites?
Thanks in advance
if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 39%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
My certificate is issued to me by Microsoft IT TLS CA 5 but it is not Microsoft IT TLS CA 5.crt. The name of my certificate is hardcoded in my code.
Will there be any impact? Thank you for your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 45%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQB%3C/text%3E%3C/svg%3E)
Azure services use a variety of PKIs. As described in the update, it's important that your clients trust all of the specified roots to ensure maximum compatibility with Azure services. While the Azure APIs use a particular root today, they may use a different root tomorrow. They may also use different roots based on their geolocation. It's important that your client trusts all the roots and not a specific one to avoid a potential outage.
If you are using ACME, I assume you are getting your certificates for Let's Encrypt. If that's the case, then your services won't be impacted. However, if you are also a client of Azure services, then your client must be updated to trust the roots provided.
Yes, certificates issued by Microsoft IT TLS CA 5 are in scope. You must take action.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 64%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
We are using Virtual machine using windows and Linux to host our applications and SQL Server for database. Does "Review your Azure Services Certificate Authorities" this impact any of the application or database hosts on azure VM.
Does this have an affect on enterprise applications in Azure AD? More specifically around applications we configure SSO for like Salesforce, Adobe Creative Cloud, etc.
Most likely not. If you have an application that calls into any Azure endpoint, you should verify that your application is not doing any certificate pinning. Certificate pinning is the practice of comparing properties of the certificate chain provided by the remote endpoint to a list of expected values. For example, you may have hard coded your application to expect a specific thumbprint, serial number, or common name value from the certificate so that only a specific certificate would be authorized. If you have such a configuration, you must take action.
Thank you for the confirmation.
@Mike Gowing Thank you for reaching out to us. . 3rd party services like Salesforce, Adobe are not impacted, whether or not it's an enterprise app in Azure AD is independent to the issue. Hope this information helps, please feel free to revert back if you have any further queries.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 43%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
In Azure portal regarding app services i have no concerns . I have a VM running windows in azure and i host few apps on that VM and for those certificate is provided by GO DADDY.com and we have the certificate service till 2021 by go daddy . Does this TLS certificate changes impact my VM and my app on VM? Awaiting your reply . Hope will get reply soon .
Many thanks .
In Azure portal regarding app services i have no concerns . I have a VM running windows in azure and i host few apps on that VM and for those certificate is provided by GO DADDY.com and we have the certificate service till 2021 by go daddy . Does this TLS certificate changes impact my VM and my app on VM? Awaiting your reply .
Certificates issued by GoDaddy are not in scope.
which means they wont be affected right because of TLS changes? Do we need to check anything?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 65%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Hi,
I'm running a powerapps app connected to an Azure database. Does powerapps use certificate pinnings? Will apps running on the powerapps environment be effected by the TLS certificate changes?
Regards, Philip Salqvist
The services hosted on your VM that use your GoDaddy certificate are not affected and you don't need to do anything for them. However, if your VM has a custom client that consumes other services from Azure via an API, you should check your client code to ensure it either isn't performing certificate pinning or, if it is, that it will accept certs from the complete list of roots provided.
Assuming that you are asking about Microsoft Power Apps on Azure (https://azure.microsoft.com/en-us/products/powerapps/), then there is no action for you. Microsoft Power Apps on Azure does not perform certificate pinning natively.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 2%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E12%3C/text%3E%3C/svg%3E)
Hello.
I am using the "Microsoft Translator API" from my on-premises software.
Do I need to change my software with Azure TLS certificate changes?
Thank you for your help.
Most likely not. If you have an application that calls into any Azure endpoint, you should verify that your application is not doing any certificate pinning. Certificate pinning is the practice of comparing properties of the certificate chain provided by the remote endpoint to a list of expected values. For example, you may have hard coded your application to expect a specific thumbprint, serial number, or common name value from the certificate so that only a specific certificate would be authorized. If you have such a configuration, you must take action.
Thanks for the reply.
Let me confirm it a little more.
I am not using private endpoint or service endpoint from the software.
I am using the Microsoft Translator API from the software with a Cognitive service subscription key.
Therefore, it is not necessary to change the software.
Is this perception correct?
You will be OK.
We are verifying VMs by inspecting the attested data API. This returns a PKCS#7 message, signed by an included certificate that was issued by one of four "Microsoft IT TLS CA" intermediate certificates, in turn issued by the "Baltimore CyberTrust Root" CA. As announced on Azure TLS Certificate Changes, the Microsoft IT TLS CA certificates will be revoked on February 15, 2021. We are preparing for supporting unknown intermediate certificates that are issued by one of the 6 mentioned CAs.
My questions are:
@jwhitlock Thank you for reaching out, to further help can you please help share more information on what specific method name you are referencing with in the API. Looking forward to hear back from you. Thank you
The attested data API is reachable in a VM at a URL like
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/attested/document?api-version=2018-10-01&nonce=1234567890"
The return is JSON, partially shown here due to the character limits of this forum, see the attested data API documentation:
{
"encoding":"pkcs7",
"signature":"MIIEEgYJKoZIhvcNAQcCoIIEAzCCA/8C..."
}
The signature is the PKCS7 signed version of the document. The signing certificate is embedded in the message, and is issued by one of the 4 Microsoft IT TLS CA that are planned to be revoked and replaced.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 49%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQB%3C/text%3E%3C/svg%3E)
The Microsoft Azure Attestation API endpoints will remain on the Baltimore CyberTrust Root. They will be moving to one of the new intermediate CAs: Microsoft RSA TLS CA 01 and Microsoft RSA TLS CA 02. The ETA for this change for this specific endpoint is 12/1.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 43%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
Hi @bharathn-msft , I got a email from MS for Review your Azure Services Certificate Authorities.
We have integrated few applications with Azure AD as Enterprise application. Are those application impacted?
if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
We also received this notice and are not sure if this will affect us. I doubt we us any 'certificate pinning'. Thank you in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Walt If you are not using any certificate pinning or specify any azure certificate thumbprint , you should be good. However if you do , you may need to add 5 new root CA certificates as listed here. If you have any storage or ioT related azure assets , please check the linked articles for more details and mitigation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 81%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
I am using a NodeJS webapp that is accessed using an external subdomain from our main company website. We have an external SSL certificate from letsEncrypt that we had uploaded initially to setup the application. I could not exactly verify if we will be impacted or not?
Can you verify this for me?
if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
We use GoDaddy as our Certificate Authority for https://prospur.io. Please let me know, do we need to make any changes or updates in our certificate or app service? Thanks in Advance.
if your application code is not hard coded or configured to trust any of the following CAs or certs signed by any of the former then you won't get affected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 20%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
We used a self-signed certificate. Will we be affected by these changes?
No. Self-signed certs are not affected.