Skip to content

chore: update azure certs #21265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
code-asher merged 1 commit into from
Dec 15, 2025
Merged

chore: update azure certs #21265

code-asher merged 1 commit into from
Dec 15, 2025
+157 −63

Conversation

@code-asher
Copy link
Member

@code-asher code-asher commented Dec 15, 2025
edited
Loading

Some of these certs expired earlier this year, but I have left them in because I am still not sure I understand the impact or how to test.

We got a notice saying there are new sub-CAs so I went ahead and added all the "issuing" ones but I am not 100% sure this is correct. The documentation is not explicit about which certificates are necessary for signature verification.

@kylecarbs would you happen to have additional context? In the PR the ECC ones were not added and of the RSA ones only the xsign variant was included, is that all we need?

Closes coder/internal#1147

Edit: decided to add just the ECC xsign variants (RSA ones were already bundled). We think these are probably the ones we need (the public key is the same as the non-xsign variants). However these certs do expire in August, so likely they will need to be replaced soon...

@code-asher code-asher force-pushed the asher/update-azure-certs branch 3 times, most recently from 249257d to 3afdf39 Compare December 15, 2025 21:44
Emyrk
Emyrk approved these changes Dec 15, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list, I think @code-asher's take makes sense.

It seems some RSA certs were replaced by ECC, and why there are more now.

I think we need to actually test this with some azure instances, and we have to test it after January 6 according to the blog post.

Since no certs are remove, I will approve.
@code-asher can we create an issue to test said certs against a vm after Jan 6?

@code-asher code-asher force-pushed the asher/update-azure-certs branch from 3afdf39 to a288971 Compare December 15, 2025 22:04
@code-asher code-asher mentioned this pull request Dec 15, 2025
Open
@code-asher
Copy link
Member Author

code-asher commented Dec 15, 2025

Opened coder/internal#1198 so we can test after 1/6.

@code-asher code-asher merged commit 871ed12 into main Dec 15, 2025
30 checks passed
@code-asher code-asher deleted the asher/update-azure-certs branch December 15, 2025 22:44
@github-actions github-actions bot locked and limited conversation to collaborators Dec 15, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@code-asher code-asher

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate whether we need to upgrade Azure instance ID certs

2 participants

@code-asher @Emyrk