Action required: Update your trusted root store for Azure Storage services by 29 February 2024

Ankush Gurjar 160 Reputation points
2023-12-01T05:02:32.1866667+00:00

If you use certificate pinning, update your trusted root store for Azure Storage services by 29 February 2024

You're receiving this email because you use Azure Storage services.

Many Azure Storage services use intermediate TLS certificates that are set to expire in June 2024. In preparation, we'll begin rolling out updates in March for these expiring certificates in Blob Storage, Azure Files, Table Storage, Queue Storage, static websites, and Data Lake Storage Gen2 in the public Azure cloud and US Government cloud.

If you have client applications that still use certificate pinning, they'll be affected by this change and you'll need to take action by 29 February 2024 to avoid potential connection interruptions. Certificate pinning—when client applications explicitly specify a list of acceptable certificate authorities—is no longer a best practice.

Required action

If you have client applications that have pinned to intermediate certificate authorities, take one of these actions by 29 February 2024 to prevent interruptions to your connections:

  • Add the issuing certificate authorities.-%2CHow%2520to%2520check%2C-If%2520your%2520client&data=05%7C01%7Cankush.gurjar%40acg-world.com%7Cb144b71b5a0641b9273108dbf229b4a2%7C50d6cb69936f4c18bacb07fd078e9bde%7C0%7C0%7C638370033151547135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=szSEpxvxklOG48AnTB3ZMSLQmclzRY14gDULp9yMezM%3D&reserved=0) to your trusted root store. Keep using the current intermediate certificate authorities until they're updated.
  • Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.

I have Azure Blob storage in production environment, what is the meaning of this alert, and how to pinning the certificate in Azure portal.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,614 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
844 questions
{count} votes

Accepted answer
  1. SAMIT SARKAR 791 Reputation points Microsoft Employee
    2023-12-01T09:25:17.17+00:00

    Hi Ankush,

    Welcome to Microsoft Q&A platform and thanks for posting your question here.

    Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We expect that most Azure Storage customers will not be impacted, however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”)

    To mitigate this issue, please check with your application developer if they are using certificate pinning in the application. If yes, you can follow either of the following steps:

    1. Add the issuing certificate authorities to your trusted root store. Keep using the current intermediate certificate authorities until they’re updated. Refer Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub
    2. Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.

    To conclude certificate pinning is a technique used by the application developer. There is no need of extra configuration changed required from Azure Portal.

    Please refer:

    1. Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub
    2. Azure Storage TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub

    Hope this helps.

    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    Thanks

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Ankush Gurjar 160 Reputation points
    2023-12-05T09:52:54.0966667+00:00

    Hello @SAMIT SARKAR

    Could you please elaborate more on this means if I have storage account then how should we know this alert affectable or not.

    Regards

    0 comments No comments

  2. Low Chee Leong 1 Reputation point
    2023-12-12T03:46:39.39+00:00

    Hi all,

    I am also troubled with this alert, and below were my action.

    Not sure if I am doing it correctly, I used Qualys (https://www.ssllabs.com/ssltest/) to check the URLS I using in Azure that may related to Azure Storage Accounts, and see if the Public Key Pinning is enabled.

    User's image

    If the result show Yes, then I believe the URL / website is using SSL pinning.

    Do correct me if I am wrong.

    Thanks and regards,
    Low

    0 comments No comments