Azure Instance Metadata Service Attested data certificate changes FAQ

KarishmaTiwari-MSFT 10,706 Reputation points Microsoft Employee
2022-06-06T23:16:34.657+00:00

Hello Azure Customers in the community,

Microsoft uses TLS certificates from the set of Root Certificate Authorities (CAs) that adhere to the CA/Browser Forum Baseline Requirements. Microsoft is updating Azure services in a phased manner to use TLS certificates from a different set of Certificate Authorities (CAs). We expect that most Azure Instance Metadata Service Attested data customers will not be impacted. However, immediate action is required if you are impacted.

Please see a list of frequently asked questions in the response below and add your questions as comments.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
4,569 questions
{count} votes

5 answers

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 10,706 Reputation points Microsoft Employee
    2022-06-06T23:18:38.13+00:00

    Please read the following carefully to determine the impact to you.

    • Who will be impacted?

    If you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”) in Azure instance metadata service attested data, you are impacted.

    • When did the TLS certificates change happen?

    For Instance Metadata Service attested data, It will begin July 1st, 2022.

    • What is the scope of the TLS certificates change?

    This change is limited to services in public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.

    • How do I know whether my applications are impacted?

    If any client application has pinned to an Intermediate CA rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption in the services which rely on Azure
    Instance metadata service.

    If you have an application that integrates with Azure services, or if you get your VM images from Azure marketplace, and you are unsure if it uses certificate pinning with Azure Instance Metadata Service Attested data, check with the application/image owner.

    Determine the change in your code:

    • Check if your client application has been pinned to

    • Root CA: Baltimore CyberTrust Root CA or,
    • Intermediate CA: Microsoft RSA TLS CA 01
    • Intermediate CA: Microsoft RSA TLS CA 02

    Certificate Renewal Summary can be found in this article Azure Instance Metadata Service-Attested data TLS: Critical changes are here! - Microsoft Tech Community.

    • If your client application has been pinned to above certificates, then search your source code for the thumbprint, Common Name, and other cert properties of any of the root CA or intermediate CAs.
    • If there is a match, then your application will be impacted, immediate action is required.

    Action Required

    • To continue without disruption due to this change, Microsoft recommends that client applications or devices trust the root CA – DigiCert Global Root G2 (Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4)
    • Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended to NOT taking dependencies on them and instead pin to the root certificate, as it rolls less frequently.
    • If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.
    • To prevent future disruption, you should also add the following roots to the trusted store. This will save you from the allow list effort in near future if you add the recommended root CAs now:

    DigiCert Global Root G3
    (Thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)
    Microsoft RSA Root Certificate Authority 2017
    (Thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)
    Microsoft ECC Root Certificate Authority 2017
    (Thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)

    Note: If you have a requirement to pin to intermediate CAs, to prevent future disruption, you should also add the intermediate Microsoft Azure ECC TLS CAs listed in the table to the
    trusted store.

    • It is also recommended to create a fallback logic with the certificate pinning process to minimize the future impact of certificate changes.

    Additional Information:

    For details of the certificate renewal, including the list of certificates being rolled out and related actions, see Azure Instance Metadata Service-Attested data TLS: Critical changes are here! - Microsoft Tech Community.


  2. NinaK-msft 61 Reputation points
    2022-06-18T01:44:36.837+00:00
    No comments

  3. NinaK-msft 61 Reputation points
    2022-06-17T01:32:43.673+00:00

  4. NinaK-msft 61 Reputation points
    2022-06-29T21:52:56.033+00:00

    How is Instance metadata service attested data used?
    Attested data offers the information to validate whether current VM instance is running on Azure.
    It is usually used for compliance/licensing related validation, by a provider that offers VM image or application on Azure.
    Check this for more details.

    How do I know if I own code that pinned to the certificate of Instance metadata service attested data?
    Image and application providers who leverage certificate pinning are responsible for monitoring the certificate update information/notifications and take proper actions.
    If you don’t own any image or application that pinned to attested data certs for instance metadata service, you can ignore the notifications.

    If you want to validate whether your code is accessing Attested data, search whether you have code accessing: “http://169.254.169.254/metadata/attested”.
    To confirm whether you have pinned to the Attested data certificates, search your source code for the cert property like thumbprint of the root CA or intermediate CAs for Attested data.
    In addition, to validate whether there is application accessing IMDS/Attested data on your VM, leverage network tracing and process monitoring tools to track processes that are accessing “http://169.254.169.254/metadata/attested” endpoint.

    No comments

  5. Diegoo Norte 1 Reputation point
    2022-06-28T13:18:56.933+00:00

    {el Mejor comando
    "id": "WH-17W49296X1356610S-0MD256853V991784A",
    "create_time": "2015-10-07T16:45:17Z",
    "resource_type": "INSTRUMENTO",
    "event_type": "PAYMENT_NETWORKS. INSTRUMENTO. CUENTA VINCULADA-ACTUALIZADA",
    "resumen": "Se ha añadido con éxito un instrumento.",
    "recurso": {
    "partner_financial_instrument_id": "VS12345678900000",
    "evento": {
    "event_type": "INSTRUMENT_ADDED",
    "event_reason": "ADDED_BY_PUSH"
    },
    "cliente": {
    "partner_customer_id": "APRE32ER567GH",
    "PayPal_customer_id": "M234WEMADSKDF"
    }
    },
    "enlaces": [
    {
    "href": "https://api.paypal.com/v1/notifications/webhooks-events/WH-17W49296X1356610S-0MD256853V991784A",
    "rel": "yo",
    "método": "GET",
    "encType": "application/json"
    },
    {
    "href": "https://api.paypal.com/v1/notifications/webhooks-events/WH-17W49296X1356610S-0MD256853V991784A/resend",
    "rel": "reenviar",
    "método": "POST",
    "encType": "application/json"
    }
    ],
    "event_version": "1.0"
    }

    No comments