Review Azure Services Certificate Authorities

February 12, 2021 Posted by: Louis Baetens

EXPERTUM TECH ALERT - Azure is updating their services to use Transport Layer Security (TLS) certificates from a different set of Root Certificate Authorities (CAs).

If you are using an azure PAAS/SAAS solution your applications may be impacted if you explicitly specify a list of acceptable CAs (a practice known as certificate pinning). Amongst these applications it could also impact SAP systems which communicate with Azure PAAS/SAAS solutions.

Azure is making this change because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. This was reported back in 2020 and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the Baltimore CyberTrust Root PKI. Following this change, Azure services will use certificates issued by a different set of CAs (Certificate Authorities), chaining up to different Root CAs.

Please Review Microsofts documentation which describes how to check if your application is impacted, and how to mitigate it. It includes the list of all the CA’s that you must trust when using Azure services.

If you have questions, do not hesitate to contact our support team at

Louis Baetens