How to mitigate the Microsoft 365 Certificate Authority CA changes

Case

Microsoft’s root CA “Baltimore CyberTrust Root” available at https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt as well as intermediate CAs Microsoft RSA TLS CA 01 and Microsoft RSA TLS CA 02 will be retired by October 2022.

The above root CA and intermediate CAs will be replaced by new root CA and intermediate CA authorities. For example, one new major root CA will be DigiCert Global Root G2.

The following endpoints are covered by the retired root CA and are expected to be impacted by this change:

  • *.teams.microsoft.com
  • *.skype.com
  • *.skypeforbusiness.com
  • *.groupme.com
  • *.communication.azure.com
  • *.operatorconnect.microsoft.com

This change will not affect certificates, domains, or services used in the China or Germany national cloud instances of Microsoft 365.

You need to determine if you will be impacted by this change and if so, to mitigate the Microsoft 365 Certificate Authority CA changes.

Solution

You must carry out the following steps to mitigate the Microsoft 365 Certificate Authority CA changes:

  • Determine if your infrastructure and configuration will be impacted by this change or not. Your application will be impacted if it explicitly specifies a list of acceptable CAs. This is know as “certificate pinning”. You must add the new root and intermediate CAs in your list of acceptable CAs, otherwise you will receive certificate validation errors and your infrastructure or application may not function properly.
  • If your environment is impacted by the change then check the following areas for more details.
  • In your firewall, allow the following Certificate Revocation List and Online Certificate Status Protocol URLs:
      • http://crl3.digicert.com
      • http://crl4.digicert.com
      • http://ocsp.digicert.com
      • http://crl.microsoft.com
      • http://oneocsp.microsoft.com
      • http://ocsp.msocsp.com
      • http://www.microsoft.com/pkiops
  • Check your Linux, Java, Android, IoT and offline Windows environments to ensure that they trust the new root CA and intermediate CA authorities. An example in the case of Ubuntu Linux is shown below.
  • Check your application source code and configuration for dependencies or hard-coded properties referencing the old Microsoft 365 root and intermediate CAs. In such cases, where the software application overrides the standard operating system certificate validation and management, application re-configuration or re-coding may be needed.

Review the following Microsoft article for more details:

https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-office-365-tls-certificates-changes?view=o365-worldwide

Was this article helpful?

Related Articles