how to find if Azure Storage services use intermediate TLS certificates

Madhulika Ravikanti 0 Reputation points Microsoft Employee
2024-01-14T11:03:11.26+00:00

how to find certificate pinning exists

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,089 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 20,562 Reputation points Microsoft Employee
    2024-01-14T16:08:21.81+00:00

    Madhulika Ravikanti • Thanks for posting your query on Microsoft Q&A.

    Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.

    We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). How to check:

    If your client application has pinned to following CAs, we recommend taking the following steps - Microsoft Azure TLS Issuing CA 01, Microsoft Azure TLS Issuing CA 02, Microsoft Azure TLS Issuing CA 05, Microsoft Azure TLS Issuing CA 06

    • If you're an application developer, search your source code for any of the following references for the CAs that is changing or expiring mentioned in Table1 below. If there's a match and you still have a requirement to continue pinning to intermediate CAs, then to prevent disruption due to this change, update the application to include the new CAs using the table in section "Certificate Renewal Summary".
      • Certificate thumbprints
      • Subject Distinguished Names
      • Common Names
      • Serial numbers
      • Public keys
      • Other certificate properties 
    • If your client application integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the client application vendor.

    If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.

    Action Required:

    • Add the issuing intermediate CA Microsoft Azure TLS Issuing CAs to your trusted root store only if your client app pins intermediate CAs. Keep using the current intermediate CAs until the certificates are updated. 
    • Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications. 

    Additional Reading:

    https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149#:~:text=prevent%20connection%20interruption

    Please refer to more details in this post: https://learn.microsoft.com/en-gb/answers/questions/1478102/azure-storage-tls-changes-intermediate-certificate

    0 comments No comments

  2. Salah 251 Reputation points
    2024-01-14T16:17:57.61+00:00

    Hi @Madhulika Ravikanti

    Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. Microsoft expect that most Azure Storage customers will not be impacted, however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning Link”)

    To mitigate this issue, please check with your application developer if they are using certificate pinning in the application. If yes, you can follow either of the following steps:

    1. Add the issuing certificate authorities to your trusted root store. Keep using the current intermediate certificate authorities until they’re updated. Refer Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub
    2. Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.

    Please refer:

    1. Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub
    2. Azure Storage TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub
    3. https://learn.microsoft.com/en-us/answers/questions/894238/azure-certificate-pinning-update
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.