Certificate authorities used by Azure Active Directory
Important
The information in this page is relevant only to entities that explicitly specify a list of acceptable Certificate Authorities (CAs). This practice, known as certificate pinning, should be avoided unless there are no other options.
Any entity trying to access Azure Active Directory (Azure AD) identity services via the TLS/SSL protocols will be presented with certificates from the CAs listed below. If the entity trusts those CAs, it may use the certificates to verify the identity and legitimacy of the identity services and establish secure connections.
Certificate Authorities can be classified into root CAs and intermediate CAs. Typically, root CAs have one or more associated intermediate CAs. This article lists the root CAs used by Azure AD identity services and the intermediate CAs associated with each of those roots. For each CA, we include Uniform Resource Identifiers (URIs) to download the associated Authority Information Access (AIA) and the Certificate Revocation List Distribution Point (CDP) files. When appropriate, we also provide a URI to the Online Certificate Status Protocol (OCSP) endpoint.
CAs used in Azure Public and Azure US Government clouds
Different services may use different root or intermediate CAs. Therefore all entries listed below may be required.
DigiCert Global Root G2
| Root CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| DigiCert Global Root G2 | 033af1e6a711a 9a0bb2864b11d09fae5 | August 1, 2013 January 15, 2038 |
df3c24f9bfd666761b268 073fe06d1cc8d4f82a4 | AIA CDP |
Associated Intermediate CAs
| Issuing and Intermediate CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| Microsoft Azure TLS Issuing CA 01 | 0aafa6c5ca63c45141 ea3be1f7c75317 | July 29, 2020 June 27, 2024 |
2f2877c5d778c31e0f29c 7e371df5471bd673173 | AIA CDP |
| Microsoft Azure TLS Issuing CA 02 | 0c6ae97cced59983 8690a00a9ea53214 | July 29, 2020 June 27, 2024 |
e7eea674ca718e3befd 90858e09f8372ad0ae2aa | AIA CDP |
| Microsoft Azure TLS Issuing CA 05 | 0d7bede97d8209967a 52631b8bdd18bd | July 29, 2020 June 27, 2024 |
6c3af02e7f269aa73a fd0eff2a88a4a1f04ed1e5 | AIA CDP |
| Microsoft Azure TLS Issuing CA 06 | 02e79171fb8021e93fe 2d983834c50c0 | July 29, 2020 June 27, 2024 |
30e01761ab97e59a06b 41ef20af6f2de7ef4f7b0 | AIA CDP |
Baltimore CyberTrust Root
| Root CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| Baltimore CyberTrust Root | 020000b9 | May 12, 2000 May 12, 2025 |
d4de20d05e66fc53fe 1a50882c78db2852cae474 | CDP OCSP |
Associated Intermediate CAs
| Issuing and Intermediate CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| Microsoft RSA TLS CA 01 | 703d7a8f0ebf55aaa 59f98eaf4a206004eb2516a | July 21, 2020 October 8, 2024 |
417e225037fbfaa4f9 5761d5ae729e1aea7e3a42 | AIA CDP OCSP |
| Microsoft RSA TLS CA 02 | b0c2d2d13cdd56cdaa 6ab6e2c04440be4a429c75 | July 21, 2020 May 20, 2024 |
54d9d20239080c32316ed 9ff980a48988f4adf2d | AIA CDP OCSP |
DigiCert Global Root CA
| Root CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| DigiCert Global Root CA | 083be056904246 b1a1756ac95991c74a | November 9, 2006 November 9, 2031 |
a8985d3a65e5e5c4b2d7 d66d40c6dd2fb19c5436 | CDP OCSP |
Associated Intermediate CAs
| Issuing and Intermediate CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| DigiCert SHA2 Secure Server CA | 01fda3eb6eca75c 888438b724bcfbc91 | March 8, 2013 March 8, 2023 | 1fb86b1168ec743154062 e8c9cc5b171a4b7ccb4 | AIA CDP OCSP |
| DigiCert SHA2 Secure Server CA | 02742eaa17ca8e21 c717bb1ffcfd0ca0 | September 22, 2020 September 22, 2030 |
626d44e704d1ceabe3bf 0d53397464ac8080142c | AIA CDP OCSP |
CAs used in Azure China 21Vianet cloud
DigiCert Global Root CA
| Root CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| DigiCert Global Root CA | 083be056904246b 1a1756ac95991c74a | Nov. 9, 2006 Nov. 9, 2031 |
a8985d3a65e5e5c4b2d7 d66d40c6dd2fb19c5436 | CDP OCSP |
Associated Intermediate CA
| Issuing and Intermediate CA | Serial Number | Issue Date Expiration Date | SHA1 Thumbprint | URIs |
|---|---|---|---|---|
| DigiCert Basic RSA CN CA G2 | 02f7e1f982bad 009aff47dc95741b2f6 | March 4, 2020 March 4, 2030 |
4d1fa5d1fb1ac3917c08e 43f65015e6aea571179 | AIA CDP OCSP |
Next Steps
Feedback
Submit and view feedback for