Upcoming changes to Azure Cosmos DB TLS certificates

Thomas Weiss

Starting July 2022, Azure Cosmos DB TLS server certificates will be issued by new Root and Intermediate Certificate Authorities (CA). Azure Cosmos DB services will then be chained to DigiCert Global G2 Root, and the TLS server certificates will be issued by new ICAs.

We expect that most Azure Cosmos DB customers will not be impacted. However, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”). This change is limited to the public Azure cloud and Azure Government cloud. There are no changes in Azure sovereign cloud offerings.

If any of your client applications are pinned to the root CA Baltimore CyberTrust Root or current intermediate CAs listed below, immediate action is required to prevent disruption to connectivity to your Azure Cosmos DB account.

How to check if your client application is affected

Search your source code for the thumbprint, Common Name, and other certificate properties of any of the root CA or intermediate CAs.

• Root CA: Baltimore CyberTrust Root CA (thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474)
• Intermediate CA: Microsoft RSA TLS CA 01 (thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a)
• Intermediate CA: Microsoft RSA TLS CA 02 (thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75)

If there is a match, your application will be impacted.

Action required

1. To continue without disruption due to this change, Microsoft recommends that, in addition to Baltimore, client applications or devices trust the DigiCert Global Root G2 root CA (thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4). Intermediate certificates are expected to change more frequently than the root CAs. Customers who use certificate pinning are recommended to not take dependencies on them and instead pin to the root certificate only as it rolls less frequently.
2. To prevent future disruption, it is also recommended to add the following roots to the trusted store:
   • DigiCert Global Root G3 (thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)
   • Microsoft RSA Root Certificate Authority 2017 (thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)
   • Microsoft ECC Root Certificate Authority 2017 (thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)

Support

If you have any questions, get answers from community experts in Microsoft Q&A. If you have completed step 1 and need technical help, please open a support request with the options below and a member from our engineering team will get back to you.

• For Issue type, select Technical.
• For Subscription, select your subscription.
• For Service, select My Services, then select Cosmos DB.
• For Resource, select your Azure Cosmos DB account.
• For Problem type, select Security.
• For Problem subtype, select How-to.

Learn more

This change impacts all Azure services. For details about specific services, read the technical documentation.

Thomas Weiss Program Manager, Azure Cosmos DB

Follow