Azure Site Recovery - TLS Certificate Changes
Published date: October 13, 2020
Microsoft is updating Azure services to use Transport Layer Security (TLS) certificates from a different set of Root Certificate Authorities (CAs). We're making this change because the current CA certificates don't comply with one of the CA/Browser Forum Baseline requirements. Azure Site Recovery service endpoints will be updated in a phased transition across all public regions beginning on October 16 2020, and completing by October 26, 2020.
Will this change affect me?
This change will affect connectivity from on-premises configuration server/process servers (for physical/VMware VM replication), and from Hyper-V host servers/System Center VMM servers, to the Azure Site Recovery service. After the update, replication won't work as expected in the following scenarios:
- If you're connecting to Site Recovery using Azure Private Links.
- If you have an environment where firewall rules only allow outbound calls to specific Certificate Revocation List (CRL) download locations, and/or to Online Certificate Status Protocol (OCSP) verification locations.
- Connectivity is needed to these CRL and OSCP URLs:
What should I do?
- If your environment allows access to the URLs above, no action is needed.
- If you already completed the required actions based on prior instructions, no further action is needed.
- If your environment doesn't allow access to the URLs, consider allowing temporary access. This enables the Site Recovery configuration server/process server (VMware/physical machine replication), or Hyper-V host servers/VMM servers, to automatically update certificates once the update is available in your region. After the update you can turn off access to the URLs.
- If your environment doesn't allow access and you don't want to enable temporary access, then follow these steps to manually install certificates on the relevant servers. You don't need to do anything on replicated machines.