Does your Azure IoT (Edge Ubuntu) device survive the Baltimore certificate migration?

Microsoft is still using the Baltimore certificate for its IoT services. This certificate is used for TLS communication with the IoT Hub and other IoT-related Azure services.

This is done by choice, to give users more time to migrate their devices if they are not (yet) able to support the new DigiCert Global Root G2 certificate automatically.

This year, starting next month, Microsoft will start the migration.

Check out this timeline:

This has been postponed a number of times already. It’s now time to act!

If both your Azure edge devices and Azure IoT edge devices are running Ubuntu, here are some pointers to test your devices.

Please check out my previous post and the recent Youtube video first:

This gives a good impression of how devices handle TLS root certificates.

What is happening?

Microsoft is replacing the Baltimore certificate with the DigiCert Global G2 root.

So, all Azure IoT devices must upload the new certificate so TLS communication keeps working.

This is not the same certificate you use for device identification (next to a connection string or TPM support).

Many devices (when cloud-connected and able to run updates) like laptops and servers automatically refresh these standard certificates by default, in the background.

Does your device support it too?

DigiCert Global G2 root

This certificate can be found on the internet at the digicert website (check the lock in your browser and be sure this is indeed the right site).

There, we can identify the certificate (here is a copy-paste from that site):

DigiCert Global Root G2
Valid until: 15/Jan/2038
Serial #: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

Note: check the site for downloads and tests

See how it’s still valid for many years and we have some fingerprints to check our own copies.

Baltimore certificate on Ubuntu

On a generic Ubuntu 20.04LTS system, can we check if this certificate is available?

Go to the certificates folder on your edge device and check for the Baltimore certificate:

cd /etc/ssl/certs

ls -l | grep Balt

I got this response:

Yes, it’s installed.

Let’s check it in more detail:

openssl x509 -in Baltimore_CyberTrust_Root.pem -text

Yes, this is the one expiring in 2025:

It would be nice if the other certificate is here too.

DigiCert Global Root G2 on Ubuntu

Yes, go to the same certificates folder and check for that certificate:

cd /etc/ssl/certs

ls -l | grep DigiCert_Global_Root_G2.pem

In my case, it was found:

If the file is not found, try in Ubuntu:

sudo update-ca-certificates

This is part of the automatic update.

Note: You could force it if you put this line in the crontab.

Note: You could side-load the certificate by hand too I rather recommend the automatic way of working.

You can inspect the PEM file with:

openssl x509 -in DigiCert_Global_Root_G2.pem -text

This returns:

As you can see, the validation date is correct.

We can check the serial number:

openssl x509 -in DigiCert_Global_Root_G2.pem -text | grep -i  03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5

Note: the GREP is case-insensitive.

It is found.

But this is not enough!

You need to check the fingerprint, here is the way to check the sha256 fingerprint:

openssl x509 -noout -fingerprint -sha256 -inform pem -in DigiCert_Global_Root_G2.pem

The outcome is:

Please compare it too:

openssl x509 -noout -fingerprint -sha256 -inform pem -in DigiCert_Global_Root_G2.pem  | grep -I "CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F"

It is the same:

So it seems legit.

Now, you can test one or more IoT (Edge) devices for the new TLS support:

Within the IoT Hub, this dialog helps you to test the migration.

This can be done using the CLI too:

az extension list

... if deprecated extension azure-cli-iot-ext is found ...
az extension remove --name azure-cli-iot-ext
az extension add --name azure-iot
... or ...
az extension update --name azure-iot

az iot hub certificate root-authority show --hub-name [iot hub resource name]

... going forward to the new certificate
az iot hub certificate root-authority set --hub-name [iot hub resource name]  --certificate-authority v2

... and going back to the old certificate ...
az iot hub certificate root-authority set --hub-name [iot hub resource name]  --certificate-authority v1

Note: We got at one project this “An unexpected error occurred while updating your IoT hub. Error message: IoTHub with RootCertificateV2 Feature is not supported.” message. This seems to be related to the Azure infrastructure running your services. (Update 28-02-2023: A bug fix went in last week. Our test service performed well after that. Please submit a support ticket here if it’s still not working for you).

You get a notion of how many devices are connected using the new certificate.

You can even go back to the Baltimore certificate if needed.


We have seen how we can check the Ubuntu operating system for both your Azure IoT and Azure IoT Edge devices for supporting the new TLS certificate.

This gives continued access to Azure-IoT-related services like Azure IoT Hub, Azure Device Provisioning services, and even specific Azure Storage accounts if these are used for IoT device file uploads.

Again, check out that video for much more detailed information. Then, try out the Azure IoT services as seen in the video.

Constrained devices using certificate ‘pinning‘ probably need a new firmware update. If these devices are supplied by a third-party vendor, please connect to them.

See also this thread for the latest news from Microsoft.