what root CA will the azure API use

Question

Hello,
I have some on-prem apps that are consuming an Azure API. It was very hard to identify which certs to add in the on-prem app's trust store already in order to ensure communication between them. Now can you please be more specific regarding which exact root CA will be used by the Azure APIs from the list you shared in the article?

"
TLS certificates used by Azure services will chain up to one of the following Root CAs:

WHAT IS CHANGING?
Common name of the CA Thumbprint (SHA1)
DigiCert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
DigiCert Global Root CA a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
Baltimore CyberTrust Root d4de20d05e66fc53fe1a50882c78db2852cae474
D-TRUST Root Class 3 CA 2 2009 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
Microsoft RSA Root Certificate Authority 2017 73a5e64a3bff8316ff0edccc618a906e4eae4d74
Microsoft EV ECC Root Certificate Authority 2017 6b1937abfd64e1e40daf2262a27857c015d6228d
"

Answer 1

Hi @Dragos P

I believe you are referring to this article that talks about Azure TLS Certificate changes.
For APIM you can navigate to the developer portal URL from azure portal ex: https://yourAPIMInstancename.developer.azure-api.net/ to verify the Root CA and you will see the CA for APIM services will be DigiCert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4 but please validate this for your APIM service. Please also verify "Will this change affect me" section for details.

Check for Certificate Validation

Click on Certificate Path and check for Root CA

Feel free to get back to me if you have any queries or concerns.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.