Azure TLS証明書の更新の影響

natsu 1 Reputation point
2020-10-22T01:53:11.18+00:00

SQL Server in VM -Windows 上のIISにWebサイトをホストしており、そのWebサイトにはLet'sEncryptの証明書を設定しています。

AzureからTLS証明書の更新のアナウンスがされていますが、上記VMについて何か対応が必要でしょうか。

SQL Server on Azure Virtual Machines
{count} votes

1 answer

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 17,237 Reputation points Microsoft Employee
    2020-10-22T23:07:16.897+00:00

    Are you using Azure VM?

    This FAQ will help answer whether you will be impacted or not. Please check.

    Will this change affect me?
    We expect that most Azure customers will not be impacted. However, your application may be impacted if it explicitly specifies a list of acceptable CAs. This practice is known as certificate pinning.

    Here are some ways to detect if your application is impacted:

    Search your source code for the thumbprint, Common Name, and other cert properties of any of the Microsoft IT TLS CAs found here. If there is a match, then your application will be impacted. To resolve this problem, update the source code include the new CAs. As a best practice, ensure that CAs can be added or edited on short notice. Industry regulations require CA certificates to be replaced within seven days and hence customers relying on pinning need to react swiftly.

    If you have an application that integrates with Azure APIs or other Azure services and you are unsure if it uses certificate pinning, check with the application vendor.

    Different operating systems and language runtimes that communicate with Azure services may require additional steps to correctly build the certificate chain with these new roots:

    Linux: Many distributions require you to add CAs to /etc/ssl/certs. For specific instructions, refer to the distribution’s documentation.
    Java: Ensure that the Java key store contains the CAs listed above.
    Windows running in disconnected environments: Systems running in disconnected environments will need to have the new roots added to the Trusted Root Certification Authorities store, and the intermediates added to the Intermediate Certification Authorities store.
    Android: Check the documentation for your device and version of Android.
    Other hardware devices, especially IoT: Contact the device manufacturer.
    If you have an environment where firewall rules are set to allow outbound calls to only specific Certificate Revocation List (CRL) download and/or Online Certificate Status Protocol (OCSP) verification locations. You will need to allow the following CRL and OCSP URLs:

    http://crl3.digicert.com
    http://crl4.digicert.com
    http://ocsp.digicert.com
    http://www.d-trust.net
    http://root-c3-ca2-2009.ocsp.d-trust.net
    http://crl.microsoft.com
    http://oneocsp.microsoft.com
    http://ocsp.msocsp.com

    Reference doc: https://learn.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes

    ----------

    Please 'Accept as answer' if it helped, so that it can be beneficial to other community members.

    0 comments No comments