Azure Sphere is updating the set of certificates it uses to establish trust with TLS endpoints, following best practices for security.
Update 26 February 2025: We have released an update which will result in all devices (regardless of whether they are on the Retail or Retail Eval feed) installing this update and rebooting. This update does not change the OS version.
Azure Sphere is updating the set of certificates it uses to establish trust with TLS endpoints, following best practices for security. The only impact on production devices is that they will experience a reboot when we release the new certificate store to devices, similar to the reboot during an OS update or an update to the trusted key store.
What is a certificate store used for, and why update it?
Azure Sphere devices store a public root certificate like any device or browser would to establish an HTTPS connection with an endpoint that is signed with a publicly trusted certificate. The Azure IoT platform transitioned from the Baltimore CyberTrust Root to DigiCert Global Root G2. These certificates are primarily intended for establishing connections to Azure IoT services, such as the Device Provisioning Service and IoT Hub, but are also useful for apps connecting to any HTTPS service that chains up to these same public trust certificates.
While Azure IoT transitioned to DigiCert Global Root G2, the Baltimore CyberTrust Root certificate has remained valid, and has been included in the Azure Sphere certificate store for compatibility. Certificate management is a strength of the Azure Sphere platform, as this is managed by Microsoft on your behalf. However, this certificate is expiring on May 12th 2025, and removing it from the certificate store is a best practice to prevent connectivity to improperly configured web services relying on expired certificates.
When is this happening?
The next update to the image signing certificate is targeted for February 26th 2025. When that happens, all HTTPS attempts to services using the Baltimore CyberTrust Root will cease to function. Azure IoT services have already transitioned to the DigiCert Global Root G2, along with Azure Sphere services so this should not impact any Microsoft managed connectivity. However, it is a good practice to audit all app endpoint targets prior to this rollout to ensure any services your app targets do not still utilize the Baltimore CyberTrust Root certificate. If you do have a dependency and would like to request an extension for this update, please contact us at AZSPPGSUP@microsoft.com.
After this update is released, the next time that each Azure Sphere device checks for updates (or up to 24 hours later if using the update deferral feature), the device will apply the certificate store update and reboot. The certificate store update is independent of an OS update, and it will apply to devices using both the retail and retail-eval feeds.
Do I need to take any action?
No action is required for production-deployed devices; however, we recommend auditing all services specific to your app that might utilize the Baltimore CyberTrust Root certificate.
Updated Feb 26, 2025
Version 2.0
