Azure Storage has announced that it will be updating its intermediate certificates, which are set to expire on June 27, 2024. The new certificates will start rolling out in March 2024. While most Azure Storage customers are not expected to be affected, those who use certificate pinning may experience disruptions.
Certificate pinning, once considered a best practice, is no longer recommended. Azure Storage services that will be affected include Blob, File, Table, Queue, Static Website, and ADLS Gen2. This change is limited to the public Azure cloud and the US Government cloud; there will be no changes in other sovereign clouds like Azure China.
Action Required:
- If you have pinned to any of the intermediate CAs, add the Issuing CAs to your trusted root store by the end of February 2024.
- Continue using the current root or intermediate CAs until the transition period is complete to prevent connection interruption.
How to Check:
- Search your source code for the thumbprint, Common Name, and other certificate properties of any of the listed intermediate CAs. If there’s a match, immediate action is required.
Azure recommends pinning to the root certificate instead of the intermediate CAs, as root certificates are less frequently updated. If you must continue pinning to intermediate CAs, update your source code to add the new intermediate Microsoft Azure TLS Issuing CAs to the trusted store.
Certificate Renewal Summary: New certificates will start rolling out in March 2024. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity.