Root and intermediate certificates for OAUTH 2.0 with Azure AD

MSG160 1 Reputation point
2020-07-08T11:57:07.007+00:00

Hi,

We have a front-end that uses OAUTH2 (OpenID Connect) with Azure. We use both v1 and v2 endpoints.

In our application database (Oracle), we need to ensure that we have loaded in all the certificates so we can establish a connection to do the token exchange.

Our application has been using the following root and intermediate certificate for a while:

Baltimore CyberTrust Root

  • Microsoft IT TLS CA 4

Recently we could not connect as the service presented Microsoft IT TLS CA 1 as the issuer certificate.

We ended up loading the following:

Baltimore CyberTrust Root

  • Microsoft IT TLS CA 1
  • Microsoft IT TLS CA 2
  • Microsoft IT TLS CA 4
  • Microsoft IT TLS CA 5

That worked for a while but then then suddenly we were required to have the following as the issuer suddenly switched to:

DigiCert Global Root CA

  • DigiCert SHA2 Secure Server CA

Does anyone know where I can get a list of all the possible root and intermediate certificates that may be presented and reasons why this tends to change from time to time.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,541 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-07-14T17:45:12.51+00:00

    Hello @MSG160-0831 ,

    The certificate may change for multiple reasons. It may be expiry or revocation by the Certificate authority or it could be any other reason which we may not have a control on. I am not aware of any CA certificate list for root and intermediate CAs specific to our oAuth endpoint (login.microsoftonline.com or sts.windows.net) for the identity system. However I would recommend to add the CA certificate from the Microsoft Trusted Root Certificate Program . It provides a download of STL cabinet file containing a Trusted list . The list may have information on revoked certificates as well hence you may need to review it while importing on a machine to test more. You can download the same at https://aka.ms/CTLDownload . The list of trusted root participants is found online here and you can view and download the current list in either CSV/XML formats. In all probability Azure will always use issuer certificates from one of the Microsoft trusted root CA partners as listed on the page.

    Whenever a certificate from this list is deprecated by the certification authority they inform Microsoft and we release the updated deployment notice on the trust program site. Office 365 also uses certificates from issuers in this list . They have a section in the Microsoft 365 documentation which explains about the different certificate providers that the Office 365 uses. You can download the certificate as a P7B root cert bundle from the linked page which is the most updated information on certificate used on Microsoft 365 side including but not limited to many other services like Microsoft Graph and Azure AD etc. Since the infrastructure is tied , you may find same certificate used for most endpoints if you check the subject alternative name on most of these services.

    The lists I have mentioned above are updated regularly . I am not aware if there is any programmatic access to these which you can use to setup some kind of automation for your use case but the Common CA database can be used and the Microsoft Included CA certificate list page can be parsed using a http call and the CA certificate list could be generated on your side by downloading the CRT files listed on the page for trusted CAs. I hope the information provided would be sufficient for your use case. If the information provided is useful , please do accept the post as answer. In case you have any residual queries, please feel free to let us know and we will be happy to help further.

    Thank you.

    1 person found this answer helpful.