Azure/azure-sdk-for-c

Baltimore CyberTrust Root CA Migration

Tintin4000 opened this issue · 1 comments

Tintin4000 commented

I have been notified by Microsoft Azure team that the Baltimore certificate will be retiring in favour of DigiCert Global G2 Root, is this something that you are planning to do to avoid any disruption of service?

CIPop commented

That is correct: we have made the announcement in 2021 (e.g., see pinned issue #1777 at https://github.com/Azure/azure-sdk-for-c/issues).

All devices must have the ability to upgrade any component part of the secure communication with our services to ensure continuous connectivity:

  1. Information used to authenticate the remote Azure servers:
    1. Certification Authorities such as Baltimore, DigiCert and Microsoft RSA CA.
    2. Azure Device Update Root Keys
  2. Information used to authenticate the device (to Azure servers) - we always recommend having at least a backup (primary/secondary):
    1. Shared Access Keys (used for SAS)
    2. X.509 certificate
  3. TLS stack configuration (e.g. buffer sizes unless they are configured to the RFC defaults) or cipher-suites

In the absence of a continuous connection for firmware updates (e.g. the device is shelved, or communications are unavailable for very long periods of time), we provide a reference implementation of a device recovery service that can be hosted on Azure services:

https://github.com/Azure-Samples/iot-middleware-freertos-samples/tree/main/demos/projects/ESPRESSIF/az-ca-recovery