Will your customers be affected by the changes to Microsoft Azure Public Key or Certificate Pinning?

Microsoft Azure is making some changes recently which is affecting a number of customers using their services. The main change is to increase overall security through the implementation of new high-availability certificate authorities; however this may cause some interruptions in service for some customers – so if this affects your own organisation or any of your customers then it’s important to take action to minimise any service interruptions.

Updates from Azure add security

Security is at the heart of Azure’s services so they regularly release new Certificate Authorities (CAs) to ensure optimal security. As these get replaced, organisations must update their applications to ensure they’re always using the latest CAs. You can do this periodically for your customers, and Microsoft always provides the CAs in published form in advance of them coming into action to allow changes to be made in advance for the most seamless transition. The newest CAs were revised in July 2016 and Azure begins using them from July 17th this year.

Who will be affected by the changes?

Not all Azure users will be affected by these changes however your customers will notice some interruptions during this change if they are currently using pubic key or certificate pinning for additional security. For other Azure users, this change will be seamless and remain unnoticed. Once you’ve identified which of your customers are likely to experience and notice this change, you should prepare them in advance for this.

How can you prepare your customers?

The new update will be rolled out by Azure on July 27th 2017, so it is important to take action before then to minimise the effect of the certificate authority update taking place and ensure your customers maintain the highest availability when using public key or certificate pinning. In order to avoid interruption, then any Azure applications that your customers use will need to be updated prior to the rollout date.

Making updates for your clients

Although the majority of Azure customers will see no impact at all, any of your clients who use static certificate pinning will need to be updated to accept the new CAs and opened to allow network access from outbound networks in order to reach the OSCP endpoint and new CRL distribution points. It is advisable to remove old certificates before May 7th 2018 when they will expire and not straight away as the change to the new issuers will be gradual and renew for each of your customers at different points.

If you deal with security and updates to Azure on your customers’ behalf, then you can deal with this directly for them, otherwise if they have a point of contact in-house then information regarding this change should be passed onto them.

If you require any advice or assistance with getting your customers prepared and ready for the changes to Microsoft Azure’s CAs then get in touch with Marathon’s team today on 020 8329 1000 and we will be happy to provide these services to you on a white label basis.

Share this post