Root SSL certificates are at the core of the SSL chain of trust. Certificate Authorities use them to issue server certificates to end-users. Browsers and apps include root certs in their installation pack and can swiftly revoke them during security incidents. CAs replace root certificates well in advance before they expire.
Certificate Authorities store the keys in hardware security modules to protect root certificates from theft. Moreover, the physical computing device resides in a locked vault with steel doors and guards. Unlike commercial certificates, root certs have a much longer lifespan.
When a root certificate approaches its expiration date, the CAs will notify clients well in advance, just like Microsoft did recently. In a brief notice, the tech giant informed users that certificates associated with Microsoft 365 Services will expire in 2025.
Microsft intends to replace the expiring certificates with a different set of roots, specifically the “DigiCert Global Root G2.”
DigiCert owns 58% of the EV SSL certificate market share and 95% of OV certificates globally. The most innovative companies, including Fortune, and top global banks, use DigiCert to protect sensitive data. DigiCert SSL roots trace back to the original VeriSign root certificates, first added 25 years ago.
The move to the alternative Root CAs for Microsoft 365 services is already underway. It started in January 2022 and will continue through October 2022. This way, app creators and users have enough time to handle the upcoming certificate replacement.
While the switch should not affect most organizations, there’s a possible exception for app developers who use certificate pinning. Certificate Pinning restricts which certificates are valid for a particular website, limiting risk. Instead of allowing any trusted certificate, admins “pin” the certificate authority, public keys, or even end-entity certificates of their choice. Such operators may face “certificate validation errors” after May 2025.
Microsoft has released a detailed document outlining the potential impacts of a validation error on applications, and offering advice to organizations using these apps
“If you use an application that integrates with Microsoft Teams, Skype, Skype for Business Online, or Microsoft Dynamics APIs and you are unsure if it uses certificate pinning, check with the application vendor,” the document states.
The best way to prepare for the root switch is to update the source code with the new CAs’ properties. Microsoft stressed that adding CAs or editing them on short notice is the best management practice.
If you’re using one of the Microsoft Services affected by the expiring root certificate, now is the time to prepare for the upcoming change.
Microsoft 365, formerly Office 365 subscriptions, are cloud services offering a wide range of productivity tools and powerful apps that help users and organizations streamline workflows and meet their goals. Boasting enhanced security features, and real-time connections, popular programs such as Word, Excel, and PowerPoint are available on the go.
System administrator vector created by macrovector – www.freepik.com