Madhulika Ravikanti • Thanks for posting your query on Microsoft Q&A.
Azure Storage uses some intermediate certificates that are set to expire on 27th June,2024. We will be rolling out new certificates for the expiring intermediate certificates starting March 2024. Please note that this change is a part of regular maintenance where expiring intermediate certificates need to be replaced by new ones.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). How to check:
If your client application has pinned to following CAs, we recommend taking the following steps - Microsoft Azure TLS Issuing CA 01, Microsoft Azure TLS Issuing CA 02, Microsoft Azure TLS Issuing CA 05, Microsoft Azure TLS Issuing CA 06
- If you're an application developer, search your source code for any of the following references for the CAs that is changing or expiring mentioned in Table1 below. If there's a match and you still have a requirement to continue pinning to intermediate CAs, then to prevent disruption due to this change, update the application to include the new CAs using the table in section "Certificate Renewal Summary".
- Certificate thumbprints
- Subject Distinguished Names
- Common Names
- Serial numbers
- Public keys
- Other certificate properties
- If your client application integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the client application vendor.
If any client application has pinned to the current intermediate CAs listed in the table below, action may be required to prevent disruption to connectivity to Azure Storage.
Action Required:
- Add the issuing intermediate CA Microsoft Azure TLS Issuing CAs to your trusted root store only if your client app pins intermediate CAs. Keep using the current intermediate CAs until the certificates are updated.
- Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications.
Additional Reading:
Please refer to more details in this post: https://learn.microsoft.com/en-gb/answers/questions/1478102/azure-storage-tls-changes-intermediate-certificate