How can I control If we use certificate pinning, & update them for Azure Storage services

SelamiSuba-6021 0 Reputation points
2023-12-20T12:41:18.89+00:00

MS sent us below notice: (How can I manage this ?)
If you use certificate pinning, update your trusted root store for Azure Storage services by 29 February 2024

If you have client applications that still use certificate pinning, they'll be affected by this change and you'll need to take action by 29 February 2024 to avoid potential connection interruptions. Certificate pinning—when client applications explicitly specify a list of acceptable certificate authorities—is no longer a best practice.

Required action

If you have client applications that have pinned to intermediate certificate authorities, take one of these actions by 29 February 2024 to prevent interruptions to your connections:

  • Add the issuing certificate authorities.-,How%20to%20check,-If%20your%20client) to your trusted root store. Keep using the current intermediate certificate authorities until they're updated.
  • Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,075 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 47,486 Reputation points Microsoft Employee
    2023-12-21T06:25:02.44+00:00

    @SelamiSuba-6021 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    What service is connecting to Azure storage service - is it through the Azure VM or your applications? This change does not impact the root CA certificates which are not changing. If you are pinning only against the Root CA, no action is should be required. Pinning sub CAs is very rare and almost all applications if they choose to use cert pinning, pin the root CA only.

    This change should not impact Azure portal and how it connects to storage. For more information about how to address cert pinning in your own application, you can refer to https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning#how-to-address-certificate-pinning-in-your-application

    Typically, an application contains a list of authorized certificates or properties of certificates including Subject Distinguished Names, thumbprints, serial numbers, and public keys. Applications may pin against individual leaf or end-entity certificates, subordinate CA certificates, or even Root CA certificates.

    You need to verify with your application developer, if the application or the networking infrastructure (check with your network team) has pinned to any of the certificates listed below.

    If your application explicitly specifies a list of acceptable CAs, you may periodically need to update pinned certificates when Certificate Authorities change or expire. To detect certificate pinning, we recommend the taking the following steps:

    • If you have the application developer, search your source code for any of the following references for the CA that is changing or expiring. If there's a match, update the application to include the missing CAs.
    • Certificate thumbprints
    • Subject Distinguished Names
    • Common Names
    • Serial numbers
    • Public keys
    • Other certificate properties
    • If you have an application that integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the application vendor.

    Please let us know if you have any further queries. I’m happy to assist you further. 


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.