How should I know that I am using certificate pinning, for Azure Storage services

Question

How should I know that I am using certificate pinning, for Azure Storage services

Shyam Surapaneni 20

How should I check that I am using certificate pinning, for Azure Storage services.

Alan Goldhammer 20 Reputation points

2023-12-01T18:48:48.33+00:00

I have a follow on question. I've received several emails from Microsoft about changes coming to Azure regarding certificate pinning. I have a simple static website that is hosted on Azure that I coded myself. I don't think I confronted this issue while I was coding and exporting the site to Azure. The only certificate that I had to worry about was the domain name certificate that I registered through Azure.

I am trying to figure out whether this announcement affects my site and how I check for this. From everything I have read thus far it appears that it won't but I would like confirmation.
Anand Prakash Yadav 7,860 Reputation points Microsoft External Staff

2023-12-07T12:59:20.6766667+00:00

Shyam Surapaneni, just checking in to see if the below-answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

4 answers

Your answer

Alan Goldhammer 20 Reputation points

2023-12-01T18:48:48.33+00:00

I have a follow on question. I've received several emails from Microsoft about changes coming to Azure regarding certificate pinning. I have a simple static website that is hosted on Azure that I coded myself. I don't think I confronted this issue while I was coding and exporting the site to Azure. The only certificate that I had to worry about was the domain name certificate that I registered through Azure.

I am trying to figure out whether this announcement affects my site and how I check for this. From everything I have read thus far it appears that it won't but I would like confirmation.
Anand Prakash Yadav 7,860 Reputation points Microsoft External Staff

2023-12-07T12:59:20.6766667+00:00

Shyam Surapaneni, just checking in to see if the below-answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

JimmySalian-2011 42,511

Hi Shyam,

Please check this page and this is in regards to the current circular by Microsoft to update the trusted root cert? If yes then read this article to understand the details of the Certificate pinning - https://learn.microsoft.com/en-gb/azure/security/fundamentals/certificate-pinning#certificate-pinning-limitations

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

Anand Prakash Yadav 7,860 Microsoft External Staff

Hello Shyam Surapaneni,

Thank you for posting your query here!

Certificate pinning is a security practice that involves associating a specific cryptographic public key with a particular web server. This is done to prevent man-in-the-middle attacks by ensuring that the client only accepts certificates signed by a trusted authority and matching the expected public key or certificate.

However, please note that traditional certificate pinning may not be directly applicable to Azure Storage services, as they typically rely on HTTPS for secure communication.

If you mean to detect certificate pinning in your application, you may refer to the following steps:
https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning#how-to-address-certificate-pinning-in-your-application

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Anand Prakash Yadav 7,860 Reputation points Microsoft External Staff

2023-12-06T12:18:12.4766667+00:00

This change should not impact Azure portal and how it connects to storage.
Anand Prakash Yadav 7,860 Reputation points Microsoft External Staff

2023-12-06T12:20:02.4+00:00

Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We expect that most Azure Storage customers will not be impacted, however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”)

To mitigate this issue, please check with your application developer if they are using certificate pinning in the application. If yes, you can follow either of the following steps:

Add the issuing certificate authorities to your trusted root store. Keep using the current intermediate certificate authorities until they’re updated. Refer Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub

Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.

To conclude certificate pinning is a technique used by the application developer. There is no need of extra configuration changed required from Azure Portal.

Please refer:

Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub

Azure Storage TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub
Anand Prakash Yadav 7,860 Reputation points Microsoft External Staff

2023-12-11T12:28:32.3466667+00:00

Shyam Surapaneni, just checking in to see if the below-answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 3

Pedro Hermida 5

The original question was: "How should I know that I am using certificate pinning, for Azure Storage services". Unless I missed something, all I see is a copy past and a dissertation of what pinning is but not HOW TO KNOW.

In our case, we are using Synology Hyper Backup to backup data to Azure Storage, and we would really like to know if we are directly, indirectly, knowing or unknowingly, using pinning. So again, HOW TO KNOW.

SAMITSARKAR_MSFT 791 Reputation points Microsoft Employee

2023-12-01T15:24:17.3333333+00:00

Thank you for response.

Reading through the thread I understand you are talking about this context shared in the URL.

If that is scenario, to answer to your query "How should I know that I am using certificate pinning, for Azure Storage services".

You need to verify with your application developer, if the application or the networking infrastructure (check with your network team) has pinned to any of the certificates listed below.

The application developer will search the source code of that application for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs. If there is a match, then your application will be impacted.

Hope this helps.

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Thanks
Gouder, Pushpa 0 Reputation points

2023-12-01T18:46:43.1433333+00:00

Yes, i have the same question. How to check if we are using certificate pinning?
WJ 25 Reputation points

2023-12-01T20:08:27.8366667+00:00

I would like to know as well. We have a blob storage account configured in Azure that uses TLS 1.2.
SAMITSARKAR_MSFT 791 Reputation points Microsoft Employee

2023-12-02T01:13:01.52+00:00

You need to verify with your application developer, if the application or the networking infrastructure (check with your network team) has pinned to any of the certificates listed below.

The application developer will search the source code of that application for the thumbprint, Common Name, and other cert properties of any of the intermediate CAs listed below. If there is a match, then your application will be impacted.

Please refer https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149
Van Vuite 111 Reputation points

2023-12-02T15:11:20.3066667+00:00

Do we have no one to understand such a simple QUESTION:

"The original question was: "How should I know that I am using certificate pinning, for Azure Storage services"." ?

Haven't seen anyone answer the question correctly!
Pedro Hermida 5 Reputation points

2023-12-04T21:03:43.4833333+00:00

For those like us that uses Azure Blob Storage from Synology NAS, the answer is:

Ticket # 3479748: Our senior engineer indicates that we don't utilize that feature, so you should be totally unaffected.

For the rest, good luck getting a straight answer from Microsoft ... unless you pay for ir!
Van Vuite 111 Reputation points

2023-12-07T13:17:27.8633333+00:00

It is such a shame we haven't found any, able to write down the steps like open this > click there > kick this > smack on this button > slide there > cut them > then you will know if you use a Pinning Certificate.

I have an existing ticket with Microsoft and they ask me to take a screenshot, elaborate more, provide logs etc... LOL

What on earth did Microsoft release such an announcement without professional documentation?

Hi Guys, please stop posting those helpless links and stop commenting use this link, go to that link, or swim into that link, unless you know the answer to the original question. Thanks to you all.
Warren Johns 0 Reputation points

2023-12-07T15:07:00.6333333+00:00

click there > kick this > smack on this button > slide there > cut them > then you will know if you use a Pinning Certificate

That might be the funniest thing I read in one of these forums in awhile - well played.

I have opened a ticket with VEEAM in our case, as it is apparent we will not get an answer here
Alan Goldhammer 20 Reputation points

2023-12-07T19:29:02.7233333+00:00

For all those who use FileZilla to interact with Azure storage (as I do to manage my static Blob Website), the application does not use Certificate Pinning. I just got a response on the FileZilla Pro forum.
Van Vuite 111 Reputation points

2023-12-18T10:11:15.2233333+00:00

I am still waiting for Microsoft experts or someone who can tell the world where we click and hit that could tell us if we have this spinning certificate, I truly believe this is a no-joke announcement from Microsoft.
Ronnie Garrett 1 Reputation point

2023-12-19T23:37:15.3033333+00:00

I have the same question as Van Vuite. We have 2 Azure tenants, have dozens of vendors and many, many applications and storage blobs in our tenants. It is not efficient just to go to each vendor and ask them to check. If I could get a straight answer from MS on where I can check myself for a pinned certificate thumbprint before going to our vendors, that would be very useful. Please don't post the same links as above as they have not helped me in any way.
Ronnie Garrett 1 Reputation point

2023-12-19T23:44:50.1633333+00:00

Double post.
Dipti Bawa 0 Reputation points

2023-12-20T12:54:42.68+00:00

I have the same question . We have 2 Azure tenants, have dozens of vendors and many, many applications and storage blobs in our tenants. It is not efficient just to go to each vendor and ask them to check. If I could get a straight answer from MS on where I can check myself for a pinned certificate thumbprint before going to our vendors, that would be very useful. Please don't post the same links as above as they have not helped me in any way.

Answer 4

Hi @Sumarigo-MSFT , couple of weeks back we received an email regarding certificate pinning on Azure storage, in that 3 of our subscriptions are tagged, wanted to understand how those subscriptions were identified and which storages from those subscriptions are impacted due to the certificate pinning and what could be the mitigation action. Could you please help me in understanding more about it. We followed the below article and tried to find out the reference to the certificates in our repo but those are not referred and as per our understanding we don't depend on certificate pinning. https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149#:~:text=prevent%20connection%20interruption).-,How%20to%20check,-If%20your%20client.-,How%20to%20check,-If%20your%20client) Thanks for your support!

Share via

How should I know that I am using certificate pinning, for Azure Storage services

4 answers

Your answer