Hey You
Microsoft did it again. On November 25th, I opened my inbox, minding my own business, drinking my coffee (Irish off course), ready for a normal day…
… and then I saw it:
Great… fantastic… I love chaos before 09:00.
But… before we start rewriting our entire cloud architecture… RELAX.
Let me break down what this actually means, why Microsoft is doing this, who’s impacted and how to figure you if YOU need to take action… or if you can safely keep scrolling LinkedIn instead.
So… what is happening?
Starting January 2026, Azure will begin rolling out new Subordinate Certificate Authorities (Sub CAs) used by the Azure Instance Metadata Service (IMDS).
The current Sub CAs expire in April 2026.
This affects all Azure Clouds… commercial, government, national cloud… EVERYTHING!!! As confirmed in the official Microsoft blog.
But here’s the important part straight from the email
Most customers don’t need to take action
Translation: If your application does NOT use certificate pinning… you can chill. If it DOES… well… welcome to the 5% Club of Pain
Why is Microsoft doing this?
2 big reasons…
1. Browser root store changes
On April 15, 2026, Chrome and Firefox will distrust the DigiCert Global Root G1. So Microsoft must rotate to new roots and intermediates
2. Certificate lifetime reduction
IMDS certificates are moving from 180-day to 100-day lifetimes. More secure, more rotation… more chances something breaks at 3 AM.
Yay…
Here’s the ONLY question that matters: Do you use certificate pinning?
If yes => you MUST update your certificate list before January 2026.
If not => you can ignore this entire blog… but read it anyway because we both know you’re curious.
The Certificate Pinning doc explains it clearly: Certificate pinning happens when developers hardcode or restrict trusted certificates things like:
- Thumbprints
- Serial numbers
- Subject Distinguished Names
- Common Names
- does this list still keep going?
- Public keys
- Intermediate CA lists
- Custom Trust stores
- Anything that says “ONLY accept THESE certificates”
If you do ANY of that… you’re impacted. If your app just trusts the OS root store => you’re fine.
The new certificate list (a.k.a. “The table of DOOM”)
Microsoft published a MASSIVE (that’s what she said) list of new and existing CA certificates used across Azure services. It includes:
- New intermediates
- Removed intermediates
- Root CAs
- OSCP responders
- Regional changes
- Historical rotations going back to 2023
If you rely on pinned intermediates => you must add ALL new ones from that list. If you pinned only root CAs, you’re probably safe… but… still double check.
Timeline (IMPORTANT!!!)
Microsoft’s rollout goes like this
- January 6, 2026 => East US 2 EUAP, Central US EUAP, West Central US, East Asia
- January 23, 2026 => UK South
- February 1, 2026 => All remaining regions
All clouds finish rotation by April 2026, when old Sub CAs expire.
If your app uses certificate pinning: Here’s what you must do
Based on Microsoft’s guidance:
1. Scan your code
Search for:
- Hardcoded thumbprints
- Serial numbers
- CN/SAN checks
- Public key pinning
- Custom CA bundles
- Intermediate CA references
If ANY appear => you pin certificates
2. Add ALL new Sub CAs
From the CA list. Not just the ones you see today. ALL of them.
3. Keep both old and new CAs until April 2026
This is explicitly required to avoid downtime.
4. Update your trust store
For:
- Windows
- Linux (/etc/ssl/certs)
- Java (use keytool command)
5. Add fallback logic
Microsoft even recommends it:
Create fallback logic to minimize future impact
You’ll thank yourself later.
If you do NOT use certificate pinning
Congratulations. You belong to the lucky 95%. Your workload will continue to function normally, and Microsoft’s own words apply
You can ignore this message
Close this tab. Drink your coffee. Finish your day in peace.
Should you STOP using certificate pinning?
Short answer? YES!
Microsoft says it plainly in the pinning doc
We recommend discontinuing certificate pinning
Pinning is fragile in 2025 and later. Intermediates rotate often… roots change… OSCP responders shit… (I meant to write shift… after rereading this part I actually laughed a bit… So… I’m keeping it)… You become the weakest link in your own architecture.
If you MUST pin => pin only the root CA. Pinning intermediates is a one-way ticket to outage-ville.
TL;DR
- Azure IMDS is changing its TLS certificate in January 2026.
- Old Sub CAs expire in April 2026
- 95% of customers don’t need to do anything
- If you pin certificates => update your CA list NOW!
- Pinning is discouraged
- Timeline varies by region
- You’re probably fine… unless you’re not
Final Thoughts
These certificate rotations aren’t sexy. They don’t involve AI… no CoPilot… They don’t even involve YAML (thank god).
But they DO affect production workloads… quietly, suddenly and usually on a Friday afternoon.
So do the one thing future you will thanks for:
- Check your app
- Update your CAs if needed
- And if you can.. stop certificate pinning altogether
Thanks for reading.
Cheers,
Engin
Pingback: Microsoft Roadmap, messagecenter and blogs updates from 26-11-2025 - KbWorks - SharePoint and Teams Specialist
Excellent write up, thank you. Any helpful tips on ways to determine if cert pinning is actually in use anywhere within the subscription?
Yes, there are excellent script provided by many professionals on GitHub. I was planning on creating one but I know that this one is a good one: https://gist.github.com/JeffWouters/52ddc5809dd6962ae899e8ba112e1349