Loading...

Azure Instance Metadata Service-Attested data TLS: Critical changes are here!

Azure Instance Metadata Service-Attested data TLS: Critical changes are here!

In 2020 most Azure services were updated to use TLS certificates from Certificate Authorities (CAs) that chain up to the DigiCert Global G2 root. However, Azure Instance Metadata Service -Attested data certificate, remained on TLS certificates issued by the Baltimore CyberTrust Root. The time has now come Azure Instance Metadata Service -Attested data to switch from the Baltimore CyberTrust CA Root to the DigiCert Global G2 CA Root*. The migration is started, will be finished by end of June 2022.  

We expect that most Azure Instance Metadata Service customers will not be impacted; however, if you use the Attested data endpoint in your application, you or your customers may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”)

This change is limited to public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China

 

If your application has pinned to the root CA Baltimore CyberTrust Root or current intermediate CAs listed in the table belowimmediate action is required to prevent disruption in applications using Instance Metadata Service Attested Data endpoint.

* Other Azure service TLS certificates may be issued by a different PKI. 

 

Overview of Action Required

  • If your client application has pinned to the Baltimore CyberTrust Root CA, in addition to Baltimore, add the DigiCert Global Root G2 to your trusted root store before end of June 2022. 
  • If your client application has pinned to the intermediate CAs, in addition to Microsoft RSA TLS CAs, add the Microsoft Azure TLS Issuing CAs to your trusted root store before end of June 2022. 
  • Keep using the current root or intermediate CAs in your applications or devices until the transition period is completed (necessary to prevent connection interruption). 

How to check if your application is impacted

If your client application has pinned to  

  • Root CA: Baltimore CyberTrust Root CA or,  
  • Intermediate CA:  Microsoft RSA TLS CA 01 
  • Intermediate CA:  Microsoft RSA TLS CA 02   

detailed in the table below, then search your source code for the thumbprint, Common Name, and other cert properties of any of the root CA or intermediate CAs. If there is a match, then your application will be impacted, immediate action is required.

 

Action Required 

1. To continue without disruption due to this change, Microsoft recommends that client applications or devices trust the root CA – DigiCert Global Root G2  (Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4) 

  • Intermediate certificates are expected to change more frequently than root CA. Customers who use certificate pinning are recommended to NOT taking dependencies on them and instead pin to the root certificate, as it rolls less frequently.
    If you are currently pinning to the intermediate CAs and have a requirement to continue pinning to intermediate CAs, to prevent disruption due to this change, you should update the source code to add the intermediate Microsoft Azure TLS Issuing CAs listed in the table below to the trusted store. 

2. To prevent future disruption, you should also add the following roots to the trusted store. This will save you from the allow list effort in near future if you add the recommended root CAs now: 

Note: If you have a requirement to pin to intermediate CAs, to prevent future disruption, you should also add the intermediate Microsoft Azure ECC TLS CAs listed in the table below to the trusted store.

 

3. If you have an application that integrates with Azure services, or if you get your VM images from Azure marketplace, and you are unsure if it uses certificate pinning with Azure Instance Metadata Service Attested data, check with the application/image owner.

 

4. It is also recommended to create a fallback logic with the certificate pinning process to minimize the future impact of certificate changes. 

 

Certificate Renewal Summary 

The table below provides information about the certificates that are being rolled. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent disruption in applications using Instance Metadata Service Attested Data endpoint.

 

 

Certificate 

Current 

Post Rollover 

Action 

Root 

Thumbprint (SHA1): d4de20d05e66fc53fe1a50882c78db2852cae474 
Expiration: Monday, May 12, 2025, 4:59:00 PM 
Subject Name: 
CN = Baltimore CyberTrust Root 

OU = CyberTrust 
O = Baltimore 
C = IE  

Thumbprint (SHA1): df3c24f9bfd666761b268073fe06d1cc8d4f82a4 

Expiration: ‎Friday, ‎January ‎15, ‎2038 5:00:00 AM 
Subject Name: 
CN = DigiCert Global Root G2 
OU = www.digicert.com 
O = DigiCert Inc 
C = US  

 

Required before end of June 2022

 

Root 

  

Thumbprint (SHA1): 
7e04de896a3e666d00e687d33ffad93be83d349e 
Expiration: ‎Friday, ‎January ‎15, ‎2038 5:00:00 AM 
CN = DigiCert Global Root G3 
OU = www.digicert.com 
O = DigiCert Inc 
C = US 

 

Thumbprint (SHA1): 
73a5e64a3bff8316ff0edccc618a906e4eae4d74 
Expiration: ‎Friday, ‎July ‎18, ‎2042 4:00:23 PM 
CN = Microsoft RSA Root Certificate Authority 2017 
O = Microsoft Corporation 
C = US 

 

Thumbprint (SHA1): 
999a64c37ff47d9fab95f14769891460eec4c3c5 
Expiration: ‎Friday, ‎July ‎18, ‎2042 4:16:04 PM 
CN = Microsoft ECC Root Certificate Authority 2017 
O = Microsoft Corporation 
C = US 

 

Recommended to prevent disruption 
from future changes 

Intermediates 

Thumbprints (SHA1):  

  

CN = Microsoft RSA TLS CA 01 

Thumbprint: 

703d7a8f0ebf55aaa59f98eaf4a206004eb2516a 

 

CN = Microsoft RSA TLS CA 02 

Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75 

  

Expiration: ‎Tuesday, ‎October ‎8, ‎2024 12:00:00 AM;  
Subject Name:  

O = Microsoft Corporation 

C = US 

Thumbprints (SHA1):  

  

CN = Microsoft Azure TLS Issuing CA 01 
Thumbprint:  

b9ed88eb05c15c79639493016200fdab08137af3 

 

CN = Microsoft Azure TLS Issuing CA 02 

Thumbprint:  

c5fb956a0e7672e9857b402008e7ccad031f9b08 

 

CN = Microsoft Azure TLS Issuing CA 05  

Thumbprint:  

56f1ca470bb94e274b516a330494c792c419cf87 

 

CN = Microsoft Azure TLS Issuing CA 06 

Thumbprint:  

8f1fd57f27c828d7be29743b4d02cd7e6e5f43e6 

 

Expiration: ‎Thursday, ‎June 27, ‎2024 4:59:59 PM;  
Subject Name: 

Issuer = Microsoft RSA Root Certificate Authority 2017 

O = Microsoft Corporation 

C = US 

 

-------------------------------------------------------

 

CN = Microsoft Azure TLS Issuing CA 01 
Thumbprint:  

2f2877c5d778c31e0f29c7e371df5471bd673173 

 

CN = Microsoft Azure TLS Issuing CA 02 

Thumbprint:  

e7eea674ca718e3befd90858e09f8372ad0ae2aa 

 

CN = Microsoft Azure TLS Issuing CA 05 
Thumbprint:  

6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5 

 

CN = Microsoft Azure TLS Issuing CA 06 

Thumbprint:  

30e01761ab97e59a06b41ef20af6f2de7ef4f7b0 

 

Expiration: ‎Thursday, ‎June 27, ‎2024 4:59:59 PM;  
Subject Name:  

Issuer = DigiCert Global Root G2 

O = DigiCert Inc 

C = US 

 

Required before end of June 2022

Intermediates 

 

Thumbprints (SHA1):  

 

CN = Microsoft Azure ECC TLS Issuing CA 01 

Thumbprint:  

cda57423ec5e7192901ca1bf6169dbe48e8d1268 

 

CN = Microsoft Azure ECC TLS Issuing CA 02 

Thumbprint:  

489ff5765030eb28342477693eb183a4ded4d2a6 

 

CN = Microsoft Azure ECC TLS Issuing CA 05 

Thumbprint:  

4c15bc8d7aa5089a84f2ac4750f040d064040cd4 

 

CN = Microsoft Azure ECC TLS Issuing CA 06 

Thumbprint:  

dfeb65e575d03d0cc59fd60066c6d39421e65483 

 

Expiration: ‎Thursday, ‎June 27, ‎2024 4:59:59 PM;  
Subject Name: 

Issuer = Microsoft ECC Root Certificate Authority 2017 

O = Microsoft Corporation 

C = US 

 

-------------------------------------------------------

 

CN = Microsoft Azure ECC TLS Issuing CA 01 

Thumbprint:  

92503d0d74a7d3708197b6ee13082d52117a6ab0 

 

CN = Microsoft Azure ECC TLS Issuing CA 02 

Thumbprint:  

1e981ccddc69102a45c6693ee84389c3cf2329f1 

 

CN = Microsoft Azure ECC TLS Issuing CA 05 

Thumbprint:  

c6363570af8303cdf31c1d5ad81e19dbfe172531 

 

CN = Microsoft Azure ECC TLS Issuing CA 06 

Thumbprint:  

7365adaedfea4909c1baadbab68719ad0c381163 

 

Expiration: ‎Thursday, ‎June 27, ‎2024 4:59:59 PM;  
Subject Name:  

Issuer = DigiCert Global Root G3 

O = DigiCert Inc 

C = US 

Recommended to prevent disruption from 
future changes 

 

For additional information about Azure certificate Authority, see Azure Certificate Authority details | Microsoft Docs

 

Help and Support

If you have questions, get answers from community experts here Azure Instance Metadata Service Attested data certificate changes FAQ - Microsoft Q&A.

If you have a support plan and you need technical help, please create a support request:

1. Select the appropriate virtual machine type:

Virtual Machine running Linux

Virtual Machine running SUSE

Virtual Machine running RedHat

Virtual Machine running Ubuntu

Virtual Machine running Windows


2. For Summary, type a description of your issues

3. After Issue type automatically populates, for Subscription, select your subscription

4. After Service and Service type automatically populate, for Resource, select the resource you need help with.

5. After Problem type and Problem subtype automatically populate, select Next.

 

 

 

 

Published on:

Learn more
Azure Governance and Management Blog articles
Azure Governance and Management Blog articles

Azure Governance and Management Blog articles

Share post:

Related posts

HTTP Trigger Azure Function Authorization Types simplified

Here' how you can quickly understand what are the different Authorization Levels to be set while working with HTTP Azure Functions.

12 hours ago

Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to ann...

2 days ago

Govern your Azure Firewall configuration with Azure Policies

Introduction:  In the rapidly evolving digital landscape, securing cloud environments is more critical than ever. Azure Firewall emerges ...

2 days ago

Azure Verified Modules - Monthly Update [June]

AVM Module Summary The AVM team are excited that our community have been busy building AVM Modules. As of June 17th, the AVM Footprint curren...

2 days ago

General Availability Announcement: Azure VM Regional to Zonal Move

Today, we announce the general availability of the capability to convert regional VMs to a zonal configuration within the same region. Th...

3 days ago

Azure WAF Public Preview: JavaScript Challenge

Microsoft has recently released JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door.   Appro...

4 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy