{"id":4046,"date":"2022-03-21T08:31:38","date_gmt":"2022-03-21T15:31:38","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=4046"},"modified":"2022-03-21T11:56:02","modified_gmt":"2022-03-21T18:56:02","slug":"tls-certificates-changes","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/tls-certificates-changes\/","title":{"rendered":"Upcoming changes to Azure Cosmos DB TLS certificates"},"content":{"rendered":"<p>Starting July 2022, Azure Cosmos DB TLS server certificates will be issued by new Root and Intermediate Certificate Authorities (CA). <strong>Azure Cosmos DB services will then be chained to DigiCert Global G2 Root, and the TLS server certificates will be issued by new ICAs<\/strong>.<\/p>\n<p>We expect that most Azure Cosmos DB customers will not be impacted. However, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as \u201ccertificate pinning\u201d). This change is limited to the public Azure cloud and Azure Government cloud. There are no changes in Azure sovereign cloud offerings.<\/p>\n<p>If any of your client applications are pinned to the root CA Baltimore CyberTrust Root or current intermediate CAs listed below, immediate action is required to prevent disruption to connectivity to your Azure Cosmos DB account.<\/p>\n<h4>How to check if your client application is affected<\/h4>\n<p>Search your source code for the thumbprint, Common Name, and other certificate properties of any of the root CA or intermediate CAs.<\/p>\n<ul>\n<li>Root CA: Baltimore CyberTrust Root CA (thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474)<\/li>\n<li>Intermediate CA: Microsoft RSA TLS CA 01 (thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a)<\/li>\n<li>Intermediate CA: Microsoft RSA TLS CA 02 (thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75)<\/li>\n<\/ul>\n<p>If there is a match, your application will be impacted.<\/p>\n<h4>Action required<\/h4>\n<ol>\n<li>To continue without disruption due to this change, Microsoft recommends that, in addition to Baltimore, client applications or devices trust the <a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm\">DigiCert Global Root G2<\/a> root CA (thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4). Intermediate certificates are expected to change more frequently than the root CAs.\nCustomers who use certificate pinning are recommended to not take dependencies on them and instead pin to the root certificate only as it rolls less frequently.<\/li>\n<li>To prevent future disruption, it is also recommended to add the following roots to the trusted store:\n<ul>\n<li><a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm\">DigiCert Global Root G3<\/a> (thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt\">Microsoft RSA Root Certificate Authority 2017<\/a> (thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt\">Microsoft ECC Root Certificate Authority 2017<\/a> (thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4>Support<\/h4>\n<p>If you have any questions, get answers from community experts in <a href=\"https:\/\/aka.ms\/AzureCosmosDBQandA\">Microsoft Q&amp;A<\/a>. If you have completed step 1 and need technical help, please open a\u202fsupport request\u202fwith the options below and a member\u202ffrom\u202four engineering team will get back to you.<\/p>\n<ul>\n<li>For <em>Issue type<\/em>, select <strong>Technical<\/strong>.<\/li>\n<li>For <em>Subscription<\/em>, select your subscription.<\/li>\n<li>For <em>Service<\/em>, select <strong>My Services<\/strong>, then select <strong>Cosmos DB<\/strong>.<\/li>\n<li>For <em>Resource<\/em>, select your Azure Cosmos DB account.<\/li>\n<li>For <em>Problem type<\/em>, select <strong>Security<\/strong>.<\/li>\n<li>For <em>Problem subtype<\/em>, select <strong>How-to<\/strong>.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2022\/03\/tls-root-support-request.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4051\" src=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2022\/03\/tls-root-support-request.jpg\" alt=\"Image tls root support request\" width=\"765\" height=\"611\" srcset=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2022\/03\/tls-root-support-request.jpg 765w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2022\/03\/tls-root-support-request-300x240.jpg 300w\" sizes=\"(max-width: 765px) 100vw, 765px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h4>Learn more<\/h4>\n<p>This change impacts all Azure services. For details about specific services, read the <a href=\"https:\/\/docs.microsoft.com\/azure\/security\/fundamentals\/tls-certificate-changes\" target=\"_blank\" rel=\"noopener\">technical documentation<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs).  Follow these steps to see if your application is affected, and update your TLS certificates to prevent disruption to your Azure Cosmos DB account. <\/p>\n","protected":false},"author":13778,"featured_media":61,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[12,667],"tags":[],"class_list":["post-4046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcements","category-security"],"acf":[],"blog_post_summary":"<p>Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs).  Follow these steps to see if your application is affected, and update your TLS certificates to prevent disruption to your Azure Cosmos DB account. <\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/4046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/13778"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=4046"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/4046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/61"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=4046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=4046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=4046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}