i. Microsoft RSA TLS CA 01 (Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a)
ii. Microsoft RSA TLS CA 02 (Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75)
iii. To minimize future code changes, also pin the following ICAs:
A. Microsoft Azure TLS Issuing CA 01 (Thumbprint: 2f2877c5d778c31e0f29c7e371df5471bd673173)
B. Microsoft Azure TLS Issuing CA 02 (Thumbprint: e7eea674ca718e3befd90858e09f8372ad0ae2aa)
C. Microsoft Azure TLS Issuing CA 05 (Thumbprint: 6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5)
D. Microsoft Azure TLS Issuing CA 06 (Thumbprint: 30e01761ab97e59a06b41ef20af6f2de7ef4f7b0)
Sorry, don't know Github etiquette about creating a fix on another pending pull request :-P
convert to pem: openssl x509 -in xxxxx.cer -inform der -outform PEM -out xxxxx.pem
check the fingerprint against the one in the Microsoft page: openssl x509 -inform PEM -in xxxxx.pem -noout -fingerprint | tr '[:upper:]' '[:lower:]' | sed 's/://g'
As pointed out by @lohmanndouglas, Microsoft has recently updated the certificates polices.
As recommended by https://techcommunity.microsoft.com/t5/internet-of-things/azure-iot-tls-changes-are-coming-and-why-you-should-care/ba-p/1658456 you have to also include the new intermediates CAs:
i. Microsoft RSA TLS CA 01 (Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a) ii. Microsoft RSA TLS CA 02 (Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75) iii. To minimize future code changes, also pin the following ICAs: A. Microsoft Azure TLS Issuing CA 01 (Thumbprint: 2f2877c5d778c31e0f29c7e371df5471bd673173) B. Microsoft Azure TLS Issuing CA 02 (Thumbprint: e7eea674ca718e3befd90858e09f8372ad0ae2aa) C. Microsoft Azure TLS Issuing CA 05 (Thumbprint: 6c3af02e7f269aa73afd0eff2a88a4a1f04ed1e5) D. Microsoft Azure TLS Issuing CA 06 (Thumbprint: 30e01761ab97e59a06b41ef20af6f2de7ef4f7b0)
Sorry, don't know Github etiquette about creating a fix on another pending pull request :-P