|
|
SSL root certificates are the core of the SSL chain of trust . CAs use them to issue server certificates to end users. Browsers and applications include root certificates in their installation package and can quickly revoke them during security incidents. CAs replace root certificates well before they expire.
Certificate authorities store keys in hardware security modules to protect root certificates from theft. Moreover, the physical computing device is kept in a locked vault with steel doors and security. Unlike commercial certificates, root certificates have a much longer lifespan.
When a root certificate is about to expire, CAs will notify customers in advance, as Microsoft recently did. In a brief notice, the tech giant told users that certificates associated with Microsoft 365 Services will expire in 2025.
Microsoft intends to replace expiring certificates with another set of roots, namely “DigiCert Global Root G2”.
DigiCert holds 58% of the EV SSL certificate market share and 95% of OV certificates worldwide. The most innovative companies, including Fortune and the world's leading banks, use DigiCert to protect sensitive data. DigiCert SSL certificates trace their roots back to the original VeriSign root certificates, first introduced 25 years ago.
The transition to alternate root CAs for Microsoft 365 services has already begun. It began in January 2022 and will continue through October 2022, giving app makers and users ample time to cope with the upcoming certificate replacement.
While this transition shouldn’t impact most mobile app development service organizations, there is a possible exception for application developers that use certificate pinning. Certificate pinning limits the number of certificates that are valid for a given website, limiting risk. Instead of allowing any trusted certificate, administrators “pin” certificate authorities, public keys, or even end-user certificates of their choosing. Such operators may encounter “certificate validation errors” after May 2025.
Microsoft has released a detailed document outlining the potential impact of the validation error on applications and providing advice to organizations using these applications.
“If you are using an application that is integrated with Microsoft Teams, Skype, Skype for Business Online, or the Microsoft Dynamics API and you are not sure whether it uses certificate binding, check with the application vendor,” the document says.
The best way to prepare for a root authority change is to update your source code to reflect the properties of the new CAs. Microsoft emphasizes that adding CAs or editing them as soon as possible is a governance best practice.
If you use one of the Microsoft services affected by the expiring root certificate, now is the time to prepare for the upcoming changes.
|
|
發表於 2024-11-7 18:44:31