Please read the following carefully to determine the impact to you.
• Who will be impacted?
If you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”) in Azure instance metadata service attested data, you are impacted.
• When did the TLS certificates change happen?
For Instance Metadata Service attested data, It will begin July 1st, 2022.
• What is the scope of the TLS certificates change?
This change is limited to services in public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China.
• How do I know whether my applications are impacted?
If any client application has pinned to an Intermediate CA rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption in the services which rely on Azure
Instance metadata service.
If you have an application that integrates with Azure services, or if you get your VM images from Azure marketplace, and you are unsure if it uses certificate pinning with Azure Instance Metadata Service Attested data, check with the application/image owner.
Determine the change in your code:
- Check if your client application has been pinned to
• Root CA: Baltimore CyberTrust Root CA or,
• Intermediate CA: Microsoft RSA TLS CA 01
• Intermediate CA: Microsoft RSA TLS CA 02
Certificate Renewal Summary can be found in this article Azure Instance Metadata Service-Attested data TLS: Critical changes are here! - Microsoft Tech Community.
- If your client application has been pinned to above certificates, then search your source code for the thumbprint, Common Name, and other cert properties of any of the root CA or intermediate CAs.
- If there is a match, then your application will be impacted, immediate action is required.
Action Required
- To continue without disruption due to this change, Microsoft recommends that client applications or devices trust the root CA – DigiCert Global Root G2 (Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4)
- Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended to NOT taking dependencies on them and instead pin to the root certificate, as it rolls less frequently.
- If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store.
- To prevent future disruption, you should also add the following roots to the trusted store. This will save you from the allow list effort in near future if you add the recommended root CAs now:
• DigiCert Global Root G3
(Thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)
• Microsoft RSA Root Certificate Authority 2017
(Thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)
• Microsoft ECC Root Certificate Authority 2017
(Thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)
Note: If you have a requirement to pin to intermediate CAs, to prevent future disruption, you should also add the intermediate Microsoft Azure ECC TLS CAs listed in the table to the
trusted store.
- It is also recommended to create a fallback logic with the certificate pinning process to minimize the future impact of certificate changes.
Additional Information:
For details of the certificate renewal, including the list of certificates being rolled out and related actions, see Azure Instance Metadata Service-Attested data TLS: Critical changes are here! - Microsoft Tech Community.