Skip to content

Commit c38293b

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #225440 from kgremban/jan27-msftca
Add third certificate to migration guidance
2 parents 18deb9c + 258c054 commit c38293b

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

articles/iot-hub/migrate-tls-certificate.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: lizross
77
ms.service: iot-hub
88
services: iot-hub
99
ms.topic: conceptual
10-
ms.date: 12/21/2022
10+
ms.date: 01/27/2023
1111
---
1212

1313
# Migrate IoT Hub resources to a new TLS certificate root
@@ -36,9 +36,9 @@ This TLS certificate migration is critical for the security of our customers and
3636

3737
To prepare for the migration, take the following steps before February 2023:
3838

39-
1. Keep the Baltimore CyberTrust Root in your devices' trusted root store and add the DigiCert Global Root G2. You can download both certificates from the [DigiCert trusted root authority](https://www.digicert.com/kb/digicert-root-certificates.htm).
39+
1. Keep the Baltimore CyberTrust Root in your devices' trusted root store. Add the DigiCert Global Root G2 and the Microsoft RSA Root Certificate Authority 2017 certificates to your devices. You can download all of these certificates from the [Azure Certificate Authority details](../security/fundamentals/azure-CA-details.md).
4040

41-
It's important to have both certificates on your devices until the IoT Hub and DPS migrations are complete. Keeping the Baltimore CyberTrust Root ensures that your devices will stay connected until the migration, and adding the DigiCert Global Root G2 ensures that your devices will seamlessly switch over and reconnect after the migration.
41+
It's important to have all three certificates on your devices until the IoT Hub and DPS migrations are complete. Keeping the Baltimore CyberTrust Root ensures that your devices will stay connected until the migration, and adding the DigiCert Global Root G2 ensures that your devices will seamlessly switch over and reconnect after the migration. The Microsoft RSA Root Certificate Authority 2017 helps prevent future disruptions in case the DigiCert Global Root G2 is retired unexpectedly.
4242

4343
2. Make sure that you aren't pinning any intermediate or leaf certificates, and are using the public roots to perform TLS server validation.
4444

0 commit comments

Comments
 (0)