Clicked "Migrate to DigiCert Global G2" openssl s_client -connect show hub still using Baltimore

ExtraEgg 30 Reputation points


I created a brand new free tier test hub to make sure our devices can connect before and after cert migration.

I clicked on "Migrate to DigiCert Global G2" and after some time azure said the operation had completed.

I verified with az iot hub certificate root-authority show --hub-name mytesthub

  "enableRootCertificateV2": true,
  "lastUpdatedTimeUtc": "2023-05-03T10:05:05.3113965Z"

Yet my test devices could still connect with only Baltimore cert on old code without DigiCert so I ran

openssl s_client -connect
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = MSFT BALT RS256 CA
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = *
verify return:1

Does this not show that the test hub is still using Baltimore?

I reverted the test hub back to Baltimore and then Migrated again to DigiCert yet still the problem persists.

Can I restart the hub to make it start using the new cert?

Or does it take a few hours for the cert to change?


Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,143 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Sander van de Velde 30,321 Reputation points MVP

    Hello @ExtraEgg ,

    the DigiCert Global G2 is the new certificate to use.

    I have used the migration tool myself in the past and it worked well for me.

    Please give the service some time to get everything alright, it can take a couple of minutes.

    If this still does not work for you, a support ticket would be the next step.

    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

    1 person found this answer helpful.

  2. ExtraEgg 30 Reputation points

    Our main hub in UK South was scheduled for automatic cert switch on the 18th and this morning I checked and it is indeed using the new DigiCert G2 root and all our devices are connected :)

    Happy Days.

    Definitely worth creating a test hub in a different region to make the manual cert switch actually work if yours is failing to change like ours was.

    1 person found this answer helpful.
    0 comments No comments

  3. LeelaRajeshSayana-MSFT 13,871 Reputation points

    Hello @ExtraEgg Greetings! Welcome to Microsoft Q&A forum. Thank you for posting the question here. Could you please confirm if the test devices that you have set up use any intermediate or leaf certificates? The documentation Migrate IoT Hub resources to a new TLS certificate root states that devices will lose connectivity if they explicitly look for an intermediate CA or leaf certificate.

    The documentation also points that after you migrate to the new root certificate, it will take about 45 minutes for all devices to disconnect and reconnect with the new certificate if your devices use Azure IoT SDKs.

    You can check the migration status of the IoT Hub by clicking Certificates in the Security settings section and navigating to Hub root certificate tab. If the Certificate root says DigiCert Global G2, then the migration is complete.

    Please refer to the resources Azure IoT TLS: Critical changes to determine whether the devices are ready for certificate migration.


    Services team has identified a bug with the certificate update and are working on fixing the issue.

    Kindly let us know if you need any additional information on this in the comments below. We would be happy to help you.