Azure Cache for Redis 的新增功能What's New in Azure Cache for Redis

Azure TLS 证书更改Azure TLS Certificate Change

Microsoft 在将 Azure 服务更新为使用来自一组不同的证书颁发机构 (CA) 的 TLS 服务器证书。Microsoft is updating Azure services to use TLS server certificates from a different set of Certificate Authorities (CAs). 这一更改从 2020 年 8 月 13 日至 2020 年 10 月 26 日(预计)分阶段推出。This change is rolled out in phases from August 13, 2020 to October 26, 2020 (estimated). Azure 正在进行此更改,因为当前 CA 证书不符合某个 CA/浏览器论坛基线要求Azure is making this change because the current CA certificates don't comply with one of the CA/Browser Forum Baseline requirements. 此问题已于 2020 年 7 月 1 日报告,适用于全球多个热门公钥基础结构 (PKI) 提供商。The problem was reported on July 1, 2020 and applies to multiple popular Public Key Infrastructure (PKI) providers worldwide. 目前,Azure 服务使用的大多数 TLS 证书来自 Baltimore CyberTrust 根 PKI。Most TLS certificates used by Azure services today come from the Baltimore CyberTrust Root PKI. Azure Cache for Redis 服务将继续链接到 Baltimore CyberTrust 根。The Azure Cache for Redis service will continue to be chained to the Baltimore CyberTrust Root. 不过从 2020 年 10 月 12 日开始,其 TLS 服务器证书将由新的中间证书颁发机构 (ICA) 颁发。Its TLS server certificates, however, will be issued by new Intermediate Certificate Authorities (ICAs) starting on October 12, 2020.

备注

此更改仅限于公共 Azure 区域中的服务。This change is limited to services in public Azure regions. 它不包括主权国家(例如中国)。It excludes sovereign (e.g., China).

此更改是否会对我产生影响?Does this change affect me?

我们希望大多数 Azure Cache for Redis 客户不会受此更改的影响。We expect that most Azure Cache for Redis customers aren't affected by the change. 如果应用程序显式指定可接受证书的列表(做法称为“证书固定”),则可能会受到影响。Your application may be impacted if it explicitly specifies a list of acceptable certificates, a practice known as “certificate pinning”. 如果已固定到中间证书或叶证书,而不是 CyberTrust 根证书,则应该立即采取措施来更改证书配置。If it's pinned to an intermediate or leaf certificate instead of the Baltimore CyberTrust Root, you should take immediate actions to change the certificate configuration.

下表提供了有关正在被回滚的证书的信息。The following table provides information about the certificates that are being rolled. 根据应用程序使用的证书,你可能需要对其进行更新,以防丢失与 Azure Cache for Redis 实例的连接。Depending on which certificate your application uses, you may need to update it to prevent loss of connectivity to your Azure Cache for Redis instance.

CA 类型CA Type 当前Current 后期滚动(2020 年 10 月 12 日)Post Rolling (Oct 12, 2020) 操作Action
RootRoot 指纹:d4de20d05e66fc53fe1a50882c78db2852cae474Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474

有效期:2025 年 5 月 12 日星期一下午 4:59:00Expiration: Monday, May 12, 2025, 4:59:00 PM

使用者名称:Subject Name:
CN = Baltimore CyberTrust RootCN = Baltimore CyberTrust Root
OU = CyberTrustOU = CyberTrust
O = BaltimoreO = Baltimore
C = IEC = IE
未更改Not changing None
中间Intermediates 指纹:Thumbprints:
CN = Microsoft IT TLS CA 1CN = Microsoft IT TLS CA 1
指纹:417e225037fbfaa4f95761d5ae729e1aea7e3a42Thumbprint: 417e225037fbfaa4f95761d5ae729e1aea7e3a42

CN = Microsoft IT TLS CA 2CN = Microsoft IT TLS CA 2
指纹:54d9d20239080c32316ed9ff980a48988f4adf2dThumbprint: 54d9d20239080c32316ed9ff980a48988f4adf2d

CN = Microsoft IT TLS CA 4CN = Microsoft IT TLS CA 4
指纹:8a38755d0996823fe8fa3116a277ce446eac4e99Thumbprint: 8a38755d0996823fe8fa3116a277ce446eac4e99

CN = Microsoft IT TLS CA 5CN = Microsoft IT TLS CA 5
指纹:Ad898ac73df333eb60ac1f5fc6c4b2219ddb79b7Thumbprint: Ad898ac73df333eb60ac1f5fc6c4b2219ddb79b7

有效期:2024 年 5 月 20 日星期五凌晨 5:52:38Expiration: ‎Friday, ‎May ‎20, ‎2024 5:52:38 AM

使用者名称:Subject Name:
OU = Microsoft ITOU = Microsoft IT
O = Microsoft CorporationO = Microsoft Corporation
L = RedmondL = Redmond
S = WashingtonS = Washington
C = USC = US
指纹:Thumbprints:
CN = Microsoft RSA TLS CA 01CN = Microsoft RSA TLS CA 01
指纹:703d7a8f0ebf55aaa59f98eaf4a206004eb2516aThumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a

CN = Microsoft RSA TLS CA 02CN = Microsoft RSA TLS CA 02
指纹:b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75

有效期:2024 年 10 月 8 日星期二中午 12:00:00Expiration: ‎Tuesday, ‎October ‎8, ‎2024 12:00:00 AM;

使用者名称:Subject Name:
O = Microsoft CorporationO = Microsoft Corporation
C = USC = US
必须Required

我应该采取什么措施?What actions should I take?

如果你的应用程序使用操作系统证书存储或将 Baltimore 根固定在其他地方,则无需执行任何操作。If your application uses the operating system certificate store or pins the Baltimore root among others, no action is needed. 另一方面,如果你的应用程序需要固定任何中间或叶 TLS 证书,建议固定以下根:On the other hand, if your application pins any intermediate or leaf TLS certificate, we recommend that you pin the following roots:

证书Certificate ThumbprintThumbprint
Baltimore 根 CABaltimore Root CA d4de20d05e66fc53fe1a50882c78db2852cae474d4de20d05e66fc53fe1a50882c78db2852cae474
Microsoft RSA 根证书颁发机构 2017Microsoft RSA Root Certificate Authority 2017 73a5e64a3bff8316ff0edccc618a906e4eae4d7473a5e64a3bff8316ff0edccc618a906e4eae4d74
DigiCert 全局根 G2Digicert Global Root G2 df3c24f9bfd666761b268073fe06d1cc8d4f82a4df3c24f9bfd666761b268073fe06d1cc8d4f82a4

提示

中间证书和叶证书预计会经常更改。Both the intermediate and leaf certificates are expected to change frequently. 建议不要依赖它们。We recommend not to take a dependency on them. 请将应用程序固定到根证书,因为它的滚动频率较低。Instead pin your application to a root certificate since it rolls less frequently.

若要继续固定中间证书,请将以下内容添加到“固定的中间证书”列表中,该列表包含几个附加证书,以最大程度地减少将来更改:To continue to pin intermediate certificates, add the following to the pinned intermediate certificates list, which includes few additional ones to minimize future changes:

CA 的公用名Common name of the CA ThumbprintThumbprint
Microsoft RSA TLS CA 01Microsoft RSA TLS CA 01 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a703d7a8f0ebf55aaa59f98eaf4a206004eb2516a
Microsoft RSA TLS CA 02Microsoft RSA TLS CA 02 b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75
Azure TLS 颁发 CA 01Azure TLS Issuing CA 01 2f2877c5d778c31e0f29c7e371df5471bd6731732f2877c5d778c31e0f29c7e371df5471bd673173
Azure TLS 颁发 CA 02Azure TLS Issuing CA 02 e7eea674ca718e3befd90858e09f8372ad0ae2aae7eea674ca718e3befd90858e09f8372ad0ae2aa
Azure TLS 颁发 CA 05Azure TLS Issuing CA 05 6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e56c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5
Azure TLS 颁发 CA 06Azure TLS Issuing CA 06 30e01761ab97e59a06b41ef20af6f2de7ef4f7b030e01761ab97e59a06b41ef20af6f2de7ef4f7b0

如果你的应用程序使用代码验证证书,你将需要修改它以识别新固定的证书的属性(例如颁发者、指纹)。If your application validates certificate in code, you will need to modify it to recognize the properties (e.g., Issuers, Thumbprint) of the newly pinned certificates. 这一额外验证应覆盖所有固定的证书,以便更好地面向未来。This extra verification should cover all pinned certificates to be more future-proof.

后续步骤Next steps

如果有其他问题,请通过支持联系我们。If you have additional questions, contact us through support.