If you use certificate pinning, update your trusted root store for Azure Storage services by 29 February 2024

Akshay Buche (Infosys Ltd) 20 Reputation points Microsoft Vendor

Hello Team, Couple of weeks back we received an email regarding certificate pinning on Azure storage, in that 2 of our subscriptions are tagged, wanted to understand how those subscriptions were tagged and which storages could be impacted. And what could be the mitigation action. Could you please help me in understanding more about it. As per our understanding we are not using any certificate pinning, we followed the documentation available here to validate the certificate thumbprints. https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149#:~:text=prevent%20connection%20interruption).-,How%20to%20check,-If%20your%20client.-,How%20to%20check,-If%20your%20client) cc: sumanth.marigowda@microsoft.com

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,537 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sumarigo-MSFT 42,676 Reputation points Microsoft Employee

    @Akshay Buche (Infosys Ltd) Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    You're receiving this notice because you use Azure Storage services.

    What service is connecting to Azure storage service - is it through the Azure VM or your applications? This change does not impact the root CA certificates which are not changing. If you are pinning only against the Root CA, no action is should be required. Pinning sub CAs is very rare and almost all applications if they choose to use cert pinning, pin the root CA only.

    Many Azure Storage services use intermediate TLS certificates that are set to expire in June 2024. In preparation, we'll begin rolling out updates in March for these expiring certificates in Blob Storage, Azure Files, Table Storage, Queue Storage, static websites, and Data Lake Storage Gen2 in the public Azure cloud and US Government cloud.  If you have client applications that still use certificate pinning, they'll be affected by this change and you'll need to take action by 29 February 2024 to avoid potential connection interruptions. Certificate pinning—when client applications explicitly specify a list of acceptable certificate authorities—is no longer a best practice. Required action: If you have client applications that have pinned to intermediate certificate authorities, take one of these actions by 29 February 2024 to prevent interruptions to your connections: **Add the issuing certificate authorities .-,How%20to%20check,-If%20your%20client)**to your trusted root store. Keep using the current intermediate certificate authorities until they're updated. Or, to avoid the effects of this update and future certificate updates, discontinue certificate pinning in your applications. To conclude certificate pinning is a technique used by the application developer. There is no need of extra configuration changed required from Azure Portal. Please refer:

    1. Azure Storage TLS changes: Intermediate certificate renewals - Microsoft Community Hub
    2. Azure Storage TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub

    Typically, an application contains a list of authorized certificates or properties of certificates including Subject Distinguished Names, thumbprints, serial numbers, and public keys. Applications may pin against individual leaf or end-entity certificates, subordinate CA certificates, or even Root CA certificates.

    You need to verify with your application developer, if the application or the networking infrastructure (check with your network team) has pinned to any of the certificates listed below. If your application explicitly specifies a list of acceptable CAs, you may periodically need to update pinned certificates when Certificate Authorities change or expire. To detect certificate pinning, we recommend the taking the following steps:

    • If you have the application developer, search your source code for any of the following references for the CA that is changing or expiring. If there's a match, update the application to include the missing CAs.
    • Certificate thumbprints
    • Subject Distinguished Names
    • Common Names
    • Serial numbers
    • Public keys
    • Other certificate properties
    • If you have an application that integrates with Azure APIs or other Azure services and you're unsure if it uses certificate pinning, check with the application vendor.

    Please let us know if you have any further queries. I’m happy to assist you further.     

    ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful