Share via

Microsoft notification of new Microsoft certificates

Michael Gagnon 10 Reputation points
2025-02-18T16:31:24.9433333+00:00

We recently had an issue with our application when Microsoft deployed a new certificate. You can see in the entries below the second certificate, which caused your issue, has a validation period that starts in Jan '25. To avoid this in the future I am wondering if Microsoft has a service that will notify customers when new certificates are going to be deployed. This would allow customers time to update their keystores before the new certificate is deployed.

Thanks

Alias name: microsoftonline
Owner: CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Serial number: 3ea0c2445f56090adaf3163e9ed1f23
Valid from: Mon Jun 10 00:00:00 UTC 2024 until: Tue Jun 10 23:59:59 UTC 2025
Certificate fingerprints:
SHA1: 45:E7:24:71:44:6B:F0:85:FE:F8:B1:E0:56:32:0C:F3:20:88:2B:55

Alias name: microsoftonline2
Owner: CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Serial number: da2aaaa4ca416e53dcbf92adfb13852
Valid from: Sun Jan 26 00:00:00 UTC 2025 until: Sat Jul 26 23:59:59 UTC 2025
Certificate fingerprints:
SHA1: 04:EE:D7:7A:98:C7:CA:A2:2F:FD:B7:AD:83:83:CF:3D:7A:6E:A9:4F
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. HenryMai-3878 6,585 Reputation points Independent Advisor
    2025-09-25T10:06:32.6766667+00:00

    Hello Michael, I am Henry and I want to share some thoughts about your concern.

    To directly answer your question, I will answer No, Microsoft does not offer a direct notification service for the routine rollover of public-facing TLS/SSL certificates for its services like login.microsoftonline.com.

    The issue you encountered is a direct result of certificate pinning, where your application is configured to trust a specific leaf certificate's thumbprint or serial number. The industry-standard and recommended best practice is to trust the root Certificate Authority (CA) and validate the certificate chain, not to pin the specific end-entity certificate.

    Microsoft services use certificates from a set of approved CAs. As long as your application's keystore trusts the root CA (in this case, from DigiCert), it should automatically trust any new leaf certificates issued by that authority. This approach avoids service disruption during routine certificate renewals.

    Instead of subscribing to notifications, the solution is to modify your application's validation logic:

    1. Remove the pinned leaf certificate from your application's trust store or configuration.
    2. Ensure your application trusts the root CAs that Microsoft services use.
    3. Verify that your application correctly performs certificate chain validation up to a trusted root anchor.

    Microsoft provides official guidance on this topic and lists the Certificate Authorities that its services use. You should ensure your application trusts the root CAs listed in the following documentation.

    Hope this clears things up! If you find this guidance helpful, you're welcome to click 'Accept Answer'—it helps others find useful solutions too.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.