none
Bing Maps Root Certificate Migration RRS feed

  • Question

  • We received a Bing Maps Service Announcement about the Bing Maps Root Certificate Migration which warned, "If your application does not accept certificates chained to both the GTE CyberTrust Global Root and the Baltimore CyberTrust Root, please take action prior to June 15th, 2013 to avoid certificate validation errors." Is there any documentation available that provides detailed information to determine if an application is ready for this change, and if not what must be done to be ready?<o:p></o:p>



    Jeff Silver

    Thursday, May 16, 2013 1:46 PM

Answers

  • This certificate issue is main related to Java based applications that use the SOAP services. I don't believe this will effect Silverlight based application.

    That said, the SOAP based services are old and have not been updated in over 3 years. The Bing Maps REST services are much faster and accurate. You may want to consider to upgrading to this service the next time you work on your application. Documentation on how to use the REST services in .NET can be found here: http://msdn.microsoft.com/en-us/library/jj819168.aspx


    http://rbrundritt.wordpress.com

    • Marked as answer by jcsilver Thursday, May 16, 2013 3:47 PM
    Thursday, May 16, 2013 3:45 PM

All replies

  • I believe this was in the email as well:

    The Baltimore CyberTrust Root can be downloaded from https://cacert.omniroot.com/bc2025.crt. If you develop in Java you find guidance on importing the certificate into the keystore here.


    http://rbrundritt.wordpress.com

    • Proposed as answer by Ricky_Brundritt Thursday, May 16, 2013 2:05 PM
    • Unproposed as answer by jcsilver Thursday, May 16, 2013 3:17 PM
    Thursday, May 16, 2013 2:05 PM
  • Thank you for your reply.  Our specific concern is for a Silverlight application hosted in Azure that uses Bing Maps.  When we were addressing a similar notice for the Windows Azure root certificate migration were able to receive a list of specific impacted scenarios which we determined did not affect us, these scenarios for the Windows Azure root certificate migration were:

    1.  Sharepoint Server. Sharepoint uses a custom certificate store rather than the standard Windows certificate store. Sharepoint administrators must add certificates to the Sharepoint store via the admin console or the New-SPTrustedRootAuthority Powershell cmdlet. If your Sharepoint Server uses Windows Azure Active Directory (Access Control Service) for user authentication, or if you have modules which make HTTPs calls to Azure services such as Storage Service, then you will need to add the new Baltimore CyberTrust Root certificate.

    2.  .NET applications using ServerCertificateValidationCallback. .NET exposes the System.Net.ServicePointManager.ServerCertificateValidationCallback and in .NET 4.5 the System.Net.HttpWebRequest.ServerCertificateValidationCallback callback functions which allow developers to use custom logic to determine certificate validity rather than relying on the standard Windows certificate store. A developer can add logic which checks for a specific subject name or thumbprint, or use logic which only allows a specific root authority such as GTE CyberTrust Global Root. If your application uses this callback function you should make sure that it accepts both the old and new certificates.

    3.  Devices with custom certificate stores. Embedded devices such as TV set top boxes and mobile devices often ship with a limited set of root authority certificates and have no easy way to update the certificate store. If you write code for, or manage deployments of, custom embedded or mobile devices you will want to make sure the devices trust the new Baltimore CyberTrust Root certificate. Most modern smartphone device already include the Baltimore CyberTrust Root certificate with the notable exception being that Google included the certificate with Android 2.3 Gingerbread which was released mid-2011 (source).

    4.  Highly secured environments. Clients running in environments which are highly secured may run into issues with not having the standard root certificates installed on the OS, having outbound network traffic restricted to specific addresses, or not allowing automatic certificate updates. System administrators may remove all certificates that are not explicitly required, and may have removed the Baltimore CyberTrust Root from the trusted root store on the OS. Network administrators may restrict outbound network traffic which may block the standard Certificate Revocation List checks performed by Windows during the process of validating certificates. The “Microsoft Internet Authority” intermediate cert has changed as part of this update and the CRL distribution point has changed from http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl to http://cdp1.public-trust.com/CRL/Omniroot2025.crl.

    5.  Runtime Environments. Some runtime environments such as Java use custom certificate validation mechanisms instead of the standard Windows certificate validation. We are currently unaware of any runtime environments which do not trust the Baltimore CyberTrust Root certificate, but if you are running on a niche or older runtime environment you should check with the vendor to determine if your application will be impacted.

    6.  Native applications using WINHTTP_CALLBACK_STATUS_SENDING_REQUEST. Similar to #2 above with the ServerCertificateValidationCallback, the WINHTTP_CALLBACK_STATUS_SENDING_REQUEST notification allows native applications to implement custom certificate validation algorithms. Usage of this notification is very rare and requires a significant amount of custom code to implement.

    Since these scenarios did not pertain to our application we were able to determine we did not need to take any action regarding the Windows Azure root certificate migration.  I am looking to find out if there is a similar list of impacted scenarios for the Bing Maps Root Certificate Migration.  We are probably not an impacted scenario for the Bing Maps Root Certificate Migration but we just want to make sure. 

    • Edited by jcsilver Thursday, May 16, 2013 2:46 PM
    Thursday, May 16, 2013 2:44 PM
  • This certificate issue is main related to Java based applications that use the SOAP services. I don't believe this will effect Silverlight based application.

    That said, the SOAP based services are old and have not been updated in over 3 years. The Bing Maps REST services are much faster and accurate. You may want to consider to upgrading to this service the next time you work on your application. Documentation on how to use the REST services in .NET can be found here: http://msdn.microsoft.com/en-us/library/jj819168.aspx


    http://rbrundritt.wordpress.com

    • Marked as answer by jcsilver Thursday, May 16, 2013 3:47 PM
    Thursday, May 16, 2013 3:45 PM
  • Hi Richard,

    Our silverlight application consuming the Bing Map imagery service using the below url:

    https://dev.virtualearth.net/webservices/v1/

    We also received the Bing Maps Root Certificate Migration email from Microsoft but we are not sure about the impact to our application. Please let me know if there is any way to identify that our application is impacted because of this certificate migration.

    If this certicate is required for our application, please let us know the steps to install the same in windows 2008 sever.

    Thanks,

    Aravind

    Wednesday, May 29, 2013 4:17 PM
  • Hello Richard,

    Our web application is in asp.net 3.5 that are using Bing Map Api v6.2 and their methods to draw polygon and polyline on the map. I have a question please answer that.

    Do I also need to update these certificate ?

    Thanks


    Sharma M.

    Friday, June 7, 2013 12:55 PM
  • The Bing Maps AJAX controls are completely unrelated to this certificate change. This mainly effects those using the Bing Maps SOAP services from server side code.

    http://rbrundritt.wordpress.com

    Saturday, June 8, 2013 12:02 PM