Azure Storage TLS changes: Intermediate certificate renewals

Question

Azure Storage TLS changes: Intermediate certificate renewals

Mohit Pathak 25

This is in regard to the information available here:
https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

We're currently utilizing Remote desktop services to provide access to our application to our users in the form of an RDP icon.

I do see these intermediate certificates mentioned under the certification manager:
Microsoft Azure TLS Issuing CA 01, Microsoft Azure TLS Issuing CA 02, Microsoft Azure TLS Issuing CA 05, Microsoft Azure TLS Issuing CA 06

I wanted to know if will this affect our RDS setup in any terms. [I don't see any connections at my RDS environment with Azure storage services directly]
If yes, What should be done from our end to ensure there are no disruptions later on

KarishmaTiwari-MSFT 20,822 Reputation points Microsoft Employee Moderator

2024-01-08T13:00:29.5366667+00:00

@Mohit Pathak Checking in to see if you got a chance to look at the comment above. Do you have any client applications that integrate with Azure API or other Azure services? Check with the client application vendor whether they use certificate pinning.

More information about certificate pinning: https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning
Anand Prakash Yadav 7,865 Reputation points Microsoft External Staff

2024-01-15T11:33:05.23+00:00

@Mohit Pathak, just checking in to see if the below-answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Nehruji R 8,186 Reputation points Microsoft External Staff Moderator

2024-01-23T10:49:31.8166667+00:00

Hi Mohit Pathak, Hi, just checking in to see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Your answer

KarishmaTiwari-MSFT 20,822 Reputation points Microsoft Employee Moderator

2024-01-08T13:00:29.5366667+00:00

@Mohit Pathak Checking in to see if you got a chance to look at the comment above. Do you have any client applications that integrate with Azure API or other Azure services? Check with the client application vendor whether they use certificate pinning.

More information about certificate pinning: https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning
Anand Prakash Yadav 7,865 Reputation points Microsoft External Staff

2024-01-15T11:33:05.23+00:00

@Mohit Pathak, just checking in to see if the below-answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Nehruji R 8,186 Reputation points Microsoft External Staff Moderator

2024-01-23T10:49:31.8166667+00:00

Hi Mohit Pathak, Hi, just checking in to see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Mohit Pathak Are you using certificate pinning? Do you have any client applications that integrate with Azure API or other Azure services? Check with the client application vendor whether they use certificate pinning.

More information about certificate pinning: https://learn.microsoft.com/en-us/azure/security/fundamentals/certificate-pinning

Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We expect that most Azure Storage customers will not be impacted, however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”)

To mitigate this issue, please check with your application developer if they are using certificate pinning in the application. If yes, you can follow either of the following steps: Add the issuing certificate authorities to your trusted root store. Keep using the current intermediate certificate authorities until they’re updated.

Refer Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub

Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications. This change should not impact Azure portal and how it connects to storage. To conclude certificate pinning is a technique used by the application developer. There is no need of extra configuration changed required from Azure Portal.

Additional reading: #Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub

#Azure Storage TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub

Refer to this answer here for more details- Source: https://learn.microsoft.com/en-gb/answers/questions/1478102/azure-storage-tls-changes-intermediate-certificate

Share via

Azure Storage TLS changes: Intermediate certificate renewals

1 answer

Your answer