locked
What is the trusted issuer (CA) of Azure AD certificate? RRS feed

  • Question

  • When I look into SAML responses or federation metadata of Azure AD, I see that the certificate of Azure AD doesn't have any chain. It just has "accounts.accesscontrol.windows.net" listed under certification chain.

    --> Is the issuer of this cert Microsoft itself?

    --> Do I have to add below cert to trusted issuers?

    --> Is this well know cert that keeps changing every two years? That seems odd as popular CA's like Verisign typically have their certs valid for say 30 years or so.

    Cert key data that I see is below:

    MIIC4jCCAcqgAwIBAgIQQNXrmzhLN4VGlUXDYCRT3zANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE0MTAyODAwMDAwMFoXDTE2MTAyNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyKs/uPhEf7zVizjfcr/ISGFe9+yUOqwpel38zgutvLHmFD39E2hpPdQhcXn4c4dt1fU5KvkbcDdVbP8+e4TvNpJMy/nEB2V92zCQ/hhBjilwhF1ETe1TMmVjALs0KFvbxW9ZN3EdUVvxFvz/gvG29nQhl4QWKj3x8opr89lmq14Z7T0mzOV8kub+cgsOU/1bsKqrIqN1fMKKFhjKaetctdjYTfGzVQ0AJAzzbtg0/Q1wdYNAnhSDafygEv6kNiquk0r0RyasUUevEXs2LY3vSgKsKseI8ZZlQEMtE9/k/iAG7JNcEbVg53YTurNTrPnXJOU88mf3TToX14HpYsS1ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfolx45w0i8CdAUjjeAaYdhG9+NDHxop0UvNOqlGqYJexqPLuvX8iyUaYxNGzZxFgGI3GpKfmQP2JQWQ1E5JtY/n8iNLOKRMwqkuxSCKJxZJq4Sl/m/Yv7TS1P5LNgAj8QLCypxsWrTAmq2HSpkeSk4JBtsYxX6uhbGM/K1sEktKybVTHu22/7TmRqWTmOUy9wQvMjJb2IXdMGLG3hVntN/WWcs5w8vbt1i8Kk6o19W2MjZ95JaECKjBDYRlhG1KmSBtrsKsCBQoBzwH/rXfksTO9JoUYLXiW0IppB7DhNH4PJ5hZI91R8rR0H3/bKkLSuDaKLWSqMhozdhXsIIKvJQ==

    Monday, August 31, 2015 3:48 AM

Answers

All replies

  • This one is self-signed. Doesn't really matter who the issues is or whether it's trusted, the clients don't care about it. The one you need to make sure it's trusted by your infra is the "SSL communication" one, which you can get by simply browsing the HTTPS endpoint.

    Btw, didn't they replace accounts.accesscontrol.windows.net endpoints with login.windows.net? I.e. the metadata endpoint should be https://login.windows.net/tenant.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

    • Marked as answer by Rahulforaim Monday, August 31, 2015 11:40 AM
    Monday, August 31, 2015 8:05 AM
  • Makes sense. It is just that a 3rd party app provider is not ready to accept a token signing cert that is self signed and I don't see a way to provide my cert for token signing purpose.

    The cert that I posted above is what I got from Azure AD a week back so I believe they are still using accesscontrol.windows.net for SAML-P.

    Thanks for your reply.

    Monday, August 31, 2015 11:40 AM