Merge pull request #211741 from v-amallick/Sept-19-2022-TLS

v-ccolin · web-flow · commit 5d5389ecc562 · 2022-09-20T11:20:33.000+01:00
TLS updates
diff --git a/articles/backup/transport-layer-security.md b/articles/backup/transport-layer-security.md
@@ -2,7 +2,7 @@
 title: Transport Layer Security in Azure Backup
 description: Learn how to enable Azure Backup to use the encryption protocol Transport Layer Security (TLS) to keep data secure when being transferred over a network.
 ms.topic: conceptual
-ms.date: 11/01/2020
+ms.date: 09/20/2022
 ---
 
 # Transport Layer Security in Azure Backup
@@ -52,6 +52,27 @@ The following registry keys configure .NET Framework to support strong cryptogra
     "SchUseStrongCrypto" = dword:00000001
 ```
 
+## Azure TLS certificate changes
+
+Azure TLS/SSL endpoints now contain updated certificates chaining up to new root CAs. Ensure that the following changes include the updated root CAs.  [Learn more](../security/fundamentals/tls-certificate-changes.md#what-changed) about the possible impacts on your applications.
+
+Earlier, most of the TLS certificates, used by Azure services, chained up to the following Root CA:
+
+Common name of CA | Thumbprint (SHA1)
+--- | ---
+[Baltimore CyberTrust Root](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt) | d4de20d05e66fc53fe1a50882c78db2852cae474
+
+Now, TLS certificates, used by Azure services, helps to chain up to one of the following Root CAs:
+
+Common name of CA | Thumbprint (SHA1)
+--- | ---
+[DigiCert Global Root G2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) | df3c24f9bfd666761b268073fe06d1cc8d4f82a4
+[DgiCert Global Root CA](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
+[Baltimore CyberTrust Root](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt)| d4de20d05e66fc53fe1a50882c78db2852cae474
+[D-TRUST Root Class 3 CA 2 2009](https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt) | 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0
+[Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) | 73a5e64a3bff8316ff0edccc618a906e4eae4d74
+[Microsoft ECC Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt) | 999a64c37ff47d9fab95f14769891460eec4c3c5
+
 ## Frequently asked questions
 
 ### Why enable TLS 1.2?
@@ -67,7 +88,7 @@ The highest protocol version supported by both the client and server is negotiat
 For improved security from protocol downgrade attacks, Azure Backup is beginning to disable TLS versions older than 1.2 in a phased manner. This is part of a long-term shift across services to disallow legacy protocol and cipher suite connections. Azure Backup services and components fully support TLS 1.2. However, Windows versions lacking required updates or certain customized configurations can still prevent TLS 1.2 protocols being offered. This can cause failures including but not limited to one or more of the following:
 
 - Backup and restore operations may fail.
-- Backup components connections failures with error 10054 (An existing connection was forcibly closed by the remote host).
+- The backup components connections failures with error 10054 (An existing connection was forcibly closed by the remote host).
 - Services related to Azure Backup won't stop or start as usual.
 
 ## Additional resources
