Skip to main content

Revocation of non-compliant Certificate Authorities potentially impacting customer’s Azure service(s).

Published date: July 14, 2020

Certificate Authority (CA) Browser members recently published reports detailing multiple certificates issued by CA vendors that are used by Microsoft customers, as well as the greater technology community, that were out of compliance with industry standards for publicly trusted CAs. The reports regarding the non-compliant CAs can be found here: 

  1. Bug 1649951
  2. Bug 1650910

As per standard compliance requirements, CA vendors began revoking non-compliant CAs and issuing compliant CAs which require customers to re-issue their certificates. Microsoft is partnering closely with these vendors to minimize the potential impact to Azure Services, however self-issued certificates or certificates used in “Bring Your Own Certificate” (BYOC) scenarios are still at risk of being unexpectedly revoked. 

To check if the certificates utilized by your application have been revoked, reference this DigiCert announcement and the Certificate Revocation Tracker. If your certificates have been revoked, or will be revoked, you will need to request new certificates from the CA vendor utilized in your applications. To avoid your application’s availability being interrupted due to certificates being unexpectedly revoked, or to update a certificate which has been revoked, reference the lists of remediation instructions for the respective Azure service below.

Recommended Action:

API Management

Application Gateway:

Azure App Services:

Azure CDN:

Azure Front Door:

Azure AD Proxy: 

  • App Service
  • API Management
  • Application Gateway
  • Content Delivery Network
  • Azure Front Door (classic)
  • Compliance
  • Management
  • Security