“Baltimore CyberTrust Root” to “DigiCert Global G2 root” - How to test ?

DEEPAK KUMPALA 191

Hello All,

In our current setup, we have below services

Device Provisioning Service
IoT Hub

Device is first communicating with "Device Provisioning Service" and then it will be routed to mapped "IoT hub". But in below document we see "Migrate to Digicert to Global G2" is support given only for IoT Hub and not given for "Device Provisioning Service".

https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=portal

Screenshot of the TLS certificate tab, select 'Migrate to DigiCert Global G2.'

So question is, How to we know if we are ready for migration?

AshokPeddakotla-MSFT 29,396 Reputation points

2023-02-14T15:56:45.8566667+00:00

DEEPAK KUMPALA Did you get a chance to see below suggestions? If the suggestions answers your query, do click Accept 'Answer' and 'Yes'. And, if you have any further queries do let us know.
DEEPAK KUMPALA 191 Reputation points

2023-02-15T06:10:10.1+00:00

Hi Ashok, "I see that my devices without the "DigiCert Global Root G2" are still able to connect!!! Does it mean, Microsoft supports both Baltimore and global root g2?
AshokPeddakotla-MSFT 29,396 Reputation points

2023-02-16T13:50:07.76+00:00

DEEPAK KUMPALA

"I see that my devices without the "DigiCert Global Root G2" are still able to connect!!! Does it mean, Microsoft supports both Baltimore and global root g2?

It will support only One certificate. As mentioned in the blog post shared earlier,

After the migration is complete, devices that don't have DigiCert Global G2 won't be able to connect to Azure IoT anymore. You must make certain your IoT devices include the DigiCert Global G2 root cert by February 15, 2023, to ensure your devices can connect after this change.

We expect that many Azure IoT customers have devices which will be impacted by this IoT service root CA update; specifically, smaller, constrained devices that specify a list of acceptable CAs.

Hence, suggest you to migrate your instances by using the Migration tool : Migrate IoT Hub resources to a new TLS certificate root

Hope this helps.

If the below response answers your query, do click 'Accept Answer' and 'Yes' if this answer helpful. And, if you have any further query do let us know.
AshokPeddakotla-MSFT 29,396 Reputation points

2023-02-23T03:08:01.4833333+00:00

DEEPAK KUMPALA Just checking in to see if the below answer helped.

If this answers your query, do click Accept Answer and Yes if this answer helpful. And, if you have any further query do let us know.
LeelaRajeshSayana-MSFT 13,871 Reputation points

2023-03-13T20:11:44.2066667+00:00

@DEEPAK KUMPALA We still have not heard back from you. Just wanted to check if the information provided below was helpful? If it answers your query, please do click Accept Answer and Yes for this answer, as it might be beneficial to other community members reading this thread. And, if you have any further query do let us know. Thank you

1 answer

AshokPeddakotla-MSFT 29,396 Reputation points

2023-02-13T09:44:09.1733333+00:00
DEEPAK KUMPALA Greetings!

So question is, How to we know if we are ready for migration?

Azure IoT Hub and Device Provisioning Service (DPS) use TLS certificates issued by the Baltimore CyberTrust Root, which expires in 2025. Starting in February 2023, all IoT hubs in the global Azure cloud will migrate to a new TLS certificate issued by the DigiCert Global Root G2.

You should start planning now for the effects of migrating your IoT hubs to the new TLS certificate:

Any device that doesn't have the DigiCert Global Root G2 in its certificate store won't be able to connect to Azure.

The IP address of the IoT hub will change.

To prepare for the migration, take the following steps before February 2023:

Note that, There is no manual migration option for Device Provisioning Service instances. That migration will happen automatically once all IoT hub instances have migrated. No additional action is required from you beyond having the new root certificate on your devices.

For more information about how to test whether your devices are ready for the TLS certificate migration, see the blog post Azure IoT TLS: Critical changes are almost here.

Also, see Migrate IoT Hub resources to a new TLS certificate root

Hope this helps.

If the suggestions answers your query, do click Accept Answer and Yes. And, if you have any further queries do let us know.
Please sign in to rate this answer.

1 person found this answer helpful.
Sander van de Velde 30,016 Reputation points MVP

2023-02-15T01:00:05.0633333+00:00

See also this post with some additional remarks.

DEEPAK KUMPALA 191 Reputation points

2023-02-15T05:41:38.6333333+00:00

"Any device that doesn't have the DigiCert Global Root G2 in its certificate store won't be able to connect to Azure."

I see that my devices without the "DigiCert Global Root G2" still able to connect!!! Does it mean, Microsoft supports both baltimore and global root g2?

DEEPAK KUMPALA 191 Reputation points

2023-02-15T05:46:42.71+00:00

Great article.

Sander van de Velde 30,016 Reputation points MVP

2023-02-15T09:28:15.93+00:00

Hello @DEEPAK KUMPALA ,

Does it mean, Microsoft supports both baltimore and global root g2?

the IoT Hub only supports one certificate for TLS-secured communication: now only Baltimore, later only global root g2.

You can switch already using that dialog in the Azure portal.

On the device, check again. Probably both certificates are there in the local cert store.

Great article.

Thanks. A like is appreciated.

Chari, Vijayaraghavan VIJCH 20 Reputation points

2023-08-03T04:54:38.8033333+00:00

Hi All, This is Vijay . We have tested our devices with IoT connectivity without the Microsoft RSA root certificate authority 2017. The connectivity works so my question is : Do we still need the RSA root certificate in the certificates ? Please clarify the best practice.

Sander van de Velde 30,016 Reputation points MVP

2023-08-03T07:43:36.2033333+00:00

Hello Vijay,

please turn this in a separate question. Then others with the same question are able to find it.
Sign in to comment

Share via

“Baltimore CyberTrust Root” to “DigiCert Global G2 root” - How to test ?

1 answer