![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 4%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,202 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Lucas Soares Thanks for posting your query on Microsoft Q&A.
We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”).
If any client application has pinned to the root CA Baltimore CyberTrust Root or current intermediate CAs listed in the table below, immediate action is required to prevent disruption to connectivity to Azure Storage.
Action Required:
- If your client application has pinned to the Baltimore CyberTrust Root CA, in addition to Baltimore, add the DigiCert Global Root G2 to your trusted root store before February 2022.
- If your client application has pinned to the intermediate CAs, in addition to Microsoft RSA TLS CAs, add the Microsoft Azure TLS Issuing CAs to your trusted root store before February 2022.
- Keep using the current root or intermediate CAs in your applications or devices until the transition period is completed (necessary to prevent connection interruption).
- Make sure SHA384 for Server certificate processing is enabled on the device.
How to check:
If your client application has pinned to
- Root CA: Baltimore CyberTrust Root CA or,
- Intermediate CA: Microsoft RSA TLS CA 01
- Intermediate CA: Microsoft RSA TLS CA 02
- Intermediate CA: Microsoft Azure TLS Issuing CA 01
- Intermediate CA: Microsoft Azure TLS Issuing CA 02
- Intermediate CA: Microsoft Azure TLS Issuing CA 05
- Intermediate CA: Microsoft Azure TLS Issuing CA 06
then search your source code for the thumbprint, Common Name, and other cert properties of any of the root CA or intermediate CAs. If there is a match, then your application will be impacted, immediate action is required.
In your scenario, it's the right step to check with the third-party software provider to understand how they handle certificate validation. If they rely on Azure Storage services, they should be aware of these changes. If the third-party tool explicitly pins certificates, ensure it supports the updated certificates. If not, you may need to adjust the configuration.
Also, monitor your backups after the certificate update to ensure seamless functionality.
If you have questions, please let me know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts. Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members for remediation for similar issues.
