search cancel

Microsoft 365 Services Getting Root Certificate Authority Switch in 2025

book

Article ID: 238145

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

Microsoft gave notice recently (March 2022)  that currently used Transport Layer Security (TLS) certificates associated with Microsoft 365 services and Azure Communication Services "will expire in May 2025."

In place of these expiring certificates, Microsoft is updating its services to use "TLS certificates from a different set of Root Certificate Authorities" (CAs). The announcement specifically named "DigiCert Global Root G2" as one of the CAs getting favored. It's said to be "widely trusted by operating systems including Windows, macOS, Android, and iOS and by browsers such as Microsoft Edge, Chrome, Safari, and Firefox."

The switchover to these alternative Root CAs for Microsoft 365 services is an ongoing process that began "in January 2022 and will continue through October 2022," Microsoft indicated.

Meanwhile, Microsoft wants application builders, as well as application users, to ensure that they'll be able to handle the coming certificate switch, effective in May 2025.

The switch is not expected to pose issues for most organizations, although there's a possible exception in cases when app developers used a so-called "certificate pinning" approach. Certificate pinning occurs when developers had specified a list of acceptable CAs for an application. In such cases, there could be "certificate validation errors" after the May 2025 date.

Reference: Microsoft 365 Services Getting Root Certificate Authority Switch in 2025 -- Redmondmag.com

 

Cause

This issue will need to be reviewed by PM and Engineering to determine what remedial steps may need to be actioned, however prima facie it is likely to involve changes to the following....

  • Any services using Java (JRE in older DLP installs, OpenJDK in 15.8 +) will need to have any new Global Root CAs added to their CACerts files.
  • For customers of the DLP Cloud Services, where the Enforce Server connects to the Cloud Service Gateway (CSG), you would also have to add such a new Global Root CA to the "enforce_truststore.jks" file (there are 2, actually, but it's the one in the "%ProgramFiles%" directory which allows the Enforce Server to establish trust in the CSG).

... that said this change is far enough in the future that not only will some of our currrent releases (e.g., 15.7) no longer be supported in 2025 - but the newer releases (16.0+) will be developed to work with the latest versions of Java (via the OpenJDK) so that any new Global Root CAs are likely to be part of the installers going forward.

Resolution

At this time we should advise customers that no immediate action is required and that the issue is under reviewing by our DLP Product Management team, if changes and/or updates will be required to the customer current DLP installations then Broadcom support will actively reach out and communicate this information to customers well in advance of the cut over date.