![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 61%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
Hey there, Embbeded System Developer
What is the official, up-to-date list of root CA certificates that we can trust for device connections to Azure services (especially Event Grid)?
I would say the official; up-to-date list would be included in the article you have referenced. These learn articles are constantly updated to reflect changes that have been made.
Do you have an official channel (email, RSS, update feed, changelog page) to announce changes or additions to this list of certificates (CA rotation, addition of new roots)?
When you look at the article you have referenced, it does have a section called 'Past changes' that the team who make changes to that section of the article to reflect what changes they have made. You can jump straight to this section by following this link: https://free.blessedness.top/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list#past-changes
In other services on Azure, you get a banner that informs you of any major changes. It may be worth keeping an eye on that article and the Azure portal to check if there are any changes that are being implemented.
Do you allow or recommend that customers use certificate pinning based on this root ca list https://free.blessedness.top/en-us/azure/security/fundamentals/azure-ca-details?
This depends on the type of application you are developing and how you want it to be accessed. There is an article here about certificate pinning: https://free.blessedness.top/en-us/azure/security/fundamentals/certificate-pinning
I think really, this would be down to individual developers. Some may agree with certificate pining, others may not. For me, when reading into this, there are built in techniques where the system/browser does this automatically and blocks other certificates that are not the most recent certificate. So, with this been the case, I would have thought certificate pinning by the developer was not needed. However, other folk may have their own thoughts about this, as I am just learning myself.
Hope this is helpful,
Nathan