Azure TLS Certificates changes

We know security is a top priority for you, and so is uptime of your applications.

To give you additional assurance of the authenticity of Azure services, most Azure services get their SSL/TLS certificates from a known set of intermediate certificate authorities (CAs) that Microsoft operates. Microsoft publishes details of these CAs in its Certificate Practice Statement (CPS).

Some organizations configure their applications with specific CAs, using a security practice called certificate pinning. Since CAs expire and get replaced, this practice requires that the applications be updated periodically to use the latest CAs. If this is not done in time, the application may get interrupted. To make this process easy for you, Microsoft publishes new CAs well in advance of using them.

The current intermediate CAs used by Azure are due to expire in May 2018. Microsoft published a new set of CAs last year in the July 2016 revision of the CPS. Azure services will begin using these new CAs from July 27, 2017. If your organization configures your application with specific CAs, then you must ensure your applications are updated by July 27, 2017 to prevent interruption.

What is changing

This information can also be found in Microsoft’s Certificate Practice Statement (CPS). It is duplicated here for convenience.

Today TLS certificates for Azure services are issued from the following intermediate CAs:

CN Thumbprint
Microsoft IT SSL SHA2 97 ef f3 02 86 77 89 4b dd 4f 9a c5 3f 78 9b ee 5d f4 ad 86
Microsoft IT SSL SHA2 94 8e 16 52 58 62 40 d4 53 28 7a b6 9c ae b8 f2 f4 f0 21 17

 

Beginning July 27th 2017, TLS certificates for Azure services will be issued either from the above CAs or from the following four additional intermediate CAs.

CN Thumbprint
Microsoft IT TLS CA 1 41 7e 22 50 37 fb fa a4 f9 57 61 d5 ae 72 9e 1a ea 7e 3a 42
Microsoft IT TLS CA 2 54 d9 d2 02 39 08 0c 32 31 6e d9 ff 98 0a 48 98 8f 4a df 2d
Microsoft IT TLS CA 4 8a 38 75 5d 09 96 82 3f e8 fa 31 16 a2 77 ce 44 6e ac 4e 99
Microsoft IT TLS CA 5 ‎ ad 89 8a c7 3d f3 33 eb 60 ac 1f 5f c6 c4 b2 21 9d db 79 b7

Note: The new CA numbering system skips #3. Please ignore this.

Additional Details

  • CN = Microsoft IT TLS CA 1 [2,4,5]
  • OU = Microsoft IT
  • O = Microsoft Corporation
  • L = Redmond
  • S = Washington
  • C = US

 

Endpoint changes are

Original CRL distribution point https://cdp1.public-trust.com/CRL/Omniroot2025.crl
New CRL distribution point https://crl3.digicert.com/Omniroot2025.crl
OCSP https://ocsp.digicert.com

You must ensure your app can connect to all of the above.

Will this affect me

We expect that the majority of Azure customers will *not* be impacted. You will be impacted in the following scenarios:

  1. If you have an application, browser or service that calls one or more Azure services and your application explicitly verifies who issued the TLS certificates for those Azure services. This is called static certificate pinning.
  2. If you have set firewall rules to allow outbound calls to only specific CRL download and/or OCSP verification locations.

Do the following to detect if an application you are using does static certificate pinning:

  1. If you have the source code of the application in question then search for thumbprint with this value “‎97 ef f3 02 86 77 89 4b dd 4f 9a c5 3f 78 9b ee 5d f4 ad 86” or “94 8e 16 52 58 62 40 d4 53 28 7a b6 9c ae b8 f2 f4 f0 21 17”. If there is a match your application will be impacted.
  2. If you purchased the application, then check with the application vendor.

What will I need to do if I am impacted?

If your application meets the criteria listed in the sections above, then you must update the certificate pinning code in your application to accept any of the four new CAs, in addition to the current CAs.

Similarly if your environment locks down outbound network access then you must ensure your application can reach the new CRL distribution points and OCSP endpoint.

FAQ

When can I retire the old intermediate thumbprint?

All certificates issued by the current intermediate CAs will expire by May 7, 2018. After that date you can remove the old thumbprints from your code.
Will all Azure services present certificates from the new issuers from July 27, 2017?

No. You will see the change gradually. Services will continue to present their existing TLS certificates. When each service renews its TLS certificate, you may see that service present a certificate issued by one of the new CAs. Each Azure service renews their certificate at a different time.

 

If you have any questions, please contact us through support. Please, open the ticket under Azure Active Directory\Azure Resource Access.