These CA certificates were obtained from Microsoft's PKI repository, and converted from DER to PEM format. The idea behind bundling them here is so that we can more easily verify the chain of trust of the certificate used to sign the attested data message.
The certificates expire in May 2024, but may be revoked in February 2021 (see below). When they are revoked, they can be removed or moved to tests (issue #3925).
The certs are:
microsoft_it_tls_ca_1.pemmicrosoft_it_tls_ca_2.pemmicrosoft_it_tls_ca_4.pemmicrosoft_it_tls_ca_5.pem
Azure has announced Azure TLS certificate changes that will impact attested message signing. Azure will use 5 new root CAs and the current Microsoft IT TLS CA will be revoked around February 15, 2021. We are not sure if or when the metadata API certificates will change.
Node.js includes a set of root CAs in tls.rootCertificates. Node.js v12.19.0 includes 4 of the 6, and the remaining 2 are added in Node.js v15. The two certificates are included here until we update Node.js (issue #3924):
microsoft_rsa_root_certificate_authority_2017.pem- Expires 2042microsoft_ecc_root_certificate_authority_2017.pem- Expires 2042
These commands download and convert the certificates, with curl and openssl installed:
curl http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%201.crt -o microsoft_it_tls_ca_1.crt
curl http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt -o microsoft_it_tls_ca_2.crt
curl http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt -o microsoft_it_tls_ca_4.crt
curl http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt -o microsoft_it_tls_ca_5.crt
curl https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt -o microsoft_rsa_root_certificate_authority_2017.crt
curl https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt -o microsoft_ecc_root_certificate_authority_2017.crt
openssl x509 -inform DER -in microsoft_it_tls_ca_1.crt -out microsoft_it_tls_ca_1.pem
openssl x509 -inform DER -in microsoft_it_tls_ca_2.crt -out microsoft_it_tls_ca_2.pem
openssl x509 -inform DER -in microsoft_it_tls_ca_4.crt -out microsoft_it_tls_ca_4.pem
openssl x509 -inform DER -in microsoft_it_tls_ca_5.crt -out microsoft_it_tls_ca_5.pem
openssl x509 -inform DER -in microsoft_rsa_root_certificate_authority_2017.crt -out microsoft_rsa_root_certificate_authority_2017.pem
openssl x509 -inform DER -in microsoft_ecc_root_certificate_authority_2017.crt -out microsoft_ecc_root_certificate_authority_2017.pem
rm *.crt