Microsoft RSA Root Certificate Authority 2017 vs Digicert Global G2 understanding

Question

Hi,

As per the TLS certificate migration mentioned in https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=portal, it says that we should also have 'Microsoft RSA Root Certificate Authority 2017' in case the DigiCert Global Root G2 is retired unexpectedly. So what does this mean? Is both the certificates same or logically how can the RSA stand by for Digi cert?

Kindly explain

Regards

Gomathi

Answer 1

Hi Gomathi

the recommendation is to have the 'Microsoft RSA Root Certificate Authority 2017' as a backup in case the 'DigiCert Global Root G2' certificate is retired unexpectedly. Let me explain the context and the relationship between these certificates:

DigiCert Global Root G2: This is a widely trusted root certificate authority (CA) that is used to issue SSL/TLS certificates. It is responsible for validating the authenticity of certificates issued by DigiCert.

Microsoft RSA Root Certificate Authority 2017: This is another root CA operated by Microsoft. It is used for issuing certificates and establishing trust in various Microsoft services and platforms.

In the case of the TLS certificate migration mentioned in the documentation, the primary certificate being used is the 'DigiCert Global Root G2' certificate. However, to ensure continuity and avoid any disruptions if the 'DigiCert Global Root G2' certificate is retired unexpectedly or becomes invalid, it is recommended to also have the 'Microsoft RSA Root Certificate Authority 2017' as a fallback option.

Having the 'Microsoft RSA Root Certificate Authority 2017' as a backup means that if the primary certificate is no longer valid or trusted, the 'Microsoft RSA Root Certificate Authority 2017' can be used to establish trust and ensure secure communication.

Logically, the RSA certificate is not standing by for the DigiCert certificate but rather acting as a fallback option if needed. It provides an alternative trust anchor in case the primary certificate becomes untrusted or retired.

It's important to follow the recommendations provided in the documentation and ensure that you have both the primary and backup certificates in place to ensure the secure operation of your services.

Answer 2

Hi @Velayutham, Gomathi Greetings! Welcome to Microsoft Q&A forum. Thank you for posting this question here.

As the document states, the Microsoft RSA Root Certificate Authority 2017 is meant to be used as a backup to prevent any disruptions if and when the DigiCert Global Root G2 is retired unexpectedly. The DigiCert Global Root G2 has a designated lifespan till 15/Jan/2038. However, this validity depends on different factors such as security vulnerabilities, industry standards, etc. The certificate authority determines the retirement date considering these parameters.

Since we do not have any control over it, adding the Microsoft RSA Root Certificate Authority 2017 is an additional safety measure to ensure that connectivity stays on even is something unexpected were to happen. Furthermore, I believe, this approach might help us transition smoothly if we were to upgrade to a different certificate authority in the future.

Here is the link to official documentation from Digicert which provides validity details of different root certificates.

Hope this answers your question. Please let us know if you need any further clarification.

---

If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.