Azure Blob Storage and Certificate pinning

Question

Hi, I'm using Azure.Storage.Blobs C# library to connect to Azure Blob Storage using the connection string provided by the Blob Storage account. I'd like to ask if the library uses any certificate pinning, if not straight forward, then "behind the scenes". This question rose after the "If you use certificate pinning, update your trusted root store for Azure Storage services" email from Microsoft. Thanks.

Answer 1

Welcome to Microsoft Q&A platform and thanks for posting your question here. The Azure.Storage.Blobs C# library does not use certificate pinning by default. Certificate pinning is a security technique where only authorized, or pinned, certificates are accepted when establishing a secure session. Any attempt to establish a secure session using a different certificate is rejected. If you're using certificate pinning in your application, you would typically have a list of authorized certificates or properties of certificates including Subject Distinguished Names, thumbprints, serial numbers, and public keys. You might need to periodically update pinned certificates when Certificate Authorities change or expire. If you're unsure if your application uses certificate pinning, you can search your source code for any references for the CA that is changing or expiring. If there's a match, update the application to include the missing CAs. In the case of the Azure.Storage.Blobs C# library, you would typically create a BlobServiceClient object authorized using DefaultAzureCredential. This does not involve certificate pinning. However, if you have implemented certificate pinning in your application, you would need to manage it yourself. If you're unsure, it might be best to check your application's source code or consult with your development team. Hope this helps. Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue. Thanks