Share via

Missing Root Certificates

Yvonne Arnoldus 161 Reputation points
2025-03-18T11:08:33.1166667+00:00

Hi,

I'm using multi-tenant Azure App Service Plan and know I can't add a Root certificate (https://azure.github.io/AppService/2021/06/22/Root-CA-on-App-Service-Guide.html#how-to-get-a-list-of-trusted-root-ca-on-app-service-using-kudu).

I made a list of the certs in the Web App:

Thumbprint Subject ---------- ------- FC3FB3BACE607B5C019C3A3E439AD16088AD78BE CN=ameroot, DC=AME, DC=GBL DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 CN=DigiCert Global Root G2, OU=www... D4DE20D05E66FC53FE1A50882C78DB2852CAE474 CN=Baltimore CyberTrust Root, OU=C... D17697CC206ED26E1A51F5BB96E9356D6D610B74 CN=Microsoft Internal Corporate Root CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Auth... CAB20A7F63F00F2BAE762025DFE36DB3A03A9CB9 CN=SAS-CP1SASCA01-CA, DC=SAS, DC=M... BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thaw... AD34FF084A8E0ACB42D83365A3F2EB686BC191C4 CN=Microsoft Assurance Designation... A8377BE68887C23CAFBFAE87544546BB17C612E4 CN=Microsoft RSA Services Root CA ... A43489159A520F0D93D032CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Mi... 9DFA93169618BF166E6483A219E6ADB31BFF8511 CN=SAW HRE CA, OU=SAW, O=SAS 999A64C37FF47D9FAB95F14769891460EEC4C3C5 CN=Microsoft ECC Root Certificate ... 92B46C76E13054E104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root... 8F43288AD272F3103B6FB1428485EA3014C0BCFE CN=Microsoft Root Certificate Auth... 8CF427FD790C3AD166068DE81E57EFBB932272D4 CN=Entrust Root Certification Auth... 7F88CD7223F3C813818C994614A89C99FA3B5247 CN=Microsoft Authenticode(tm) Root... 7E04DE896A3E666D00E687D33FFAD93BE83D349E CN=DigiCert Global Root G3, OU=www... 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 CN=Microsoft RSA Root Certificate ... 6F6ED21B8F9C3B27DD6D34221F53E177C81DDAC1 CN=Microsoft Services Partner Root... 413E8AAC6049924B178BA636CBAF3963CCB963CD CN=ameroot, DC=AME, DC=GBL 3EC910ED6A2288AD518E672093E0A0FBF249FFCE CN=Commercial Cloud Root CA R1, O=... 3B1EFD3A66EA28B16697394703A72CA340A05BD5 CN=Microsoft Root Certificate Auth... 31F9FC8BA3805986B721EA7295C65B3A44534274 CN=Microsoft ECC TS Root Certifica... 2BD63D28D7BCD0E251195AEB519243C13142EBC3 CN=Microsoft Test Root Authority, ... 245C97DF7514E7CF2DF8BE72AE957B9E04741E85 OU=Copyright (c) 1997 Microsoft Co... 18F7C1FCC3090203FD5BAA2F861A754976C8DD25 OU="NO LIABILITY ACCEPTED, (c)97 V... 06F1AA330B927B753A40E68CDF22E34BCBEF3352 CN=Microsoft ECC Product Root Cert... 0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 CN=Microsoft Time Stamp Root Certi... E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 CN=UTN-USERFirst-Object, OU=http:/... D69B561148F01C77C54578C10926DF5B856976AD CN=GlobalSign, O=GlobalSign, OU=Gl... D1EB23A46D17D68FD92564C2F1F1601764D8E349 CN=AAA Certificate Services, O=Com... CABD2A79A1076A31F21D253635CB039D4329A5E8 CN=ISRG Root X1, O=Internet Securi... B1BC968BD4F49D622AA89A81F2150152A41D829C CN=GlobalSign Root CA, OU=Root CA,... A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www... 743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A CN=SSL.com EV Root Certification A... 742C3192E607E424EB4549542BE1BBC53E6174E2 OU=Class 3 Public Primary Certific... 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 CN=DigiCert High Assurance EV Root... 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F CN=StartCom Certification Authorit... 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E CN=USERTrust RSA Certification Aut... 2796BAE63F1801E277261BA0D77770028F20EEE4 OU=Go Daddy Class 2 Certification ... 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 CN=DigiCert Assured ID Root CA, OU...

Can anyone explain to me why there are no Google Trust Services LLC (GTS Root R4) available?

I'm not requesting my own obscure root certificate but a root certificate from Google, which is a big player.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,505 questions
0 comments
Accepted answer
  1. Alekhya Vaddepally 165 Reputation points Microsoft External Staff
    2025-03-18T15:17:07.6533333+00:00

    Hi Yvonne Arnoldus,

    A number of factors could explain the missing Google Trust Services LLC (GTS Root R4) root certificate in your Azure App Service Plan. Not all of the wished major providers root certificates are included, and even the App Services may not encompass all of the root certificates, so there is prone to be a change in the trusted root certificates depending on the service or environment.

    Even though Google is a major name in the world of certificate authority, the fact that Google root certificate is not included in Azure trusted certificate list is purely a business decision Microsoft has to make. The list could be missing certificates due to factors like compatibility, security, or other operational reasons.

    check the official Microsoft documentation on Azure Certificate Authority for specific information about trusted root certificates used in Azure.

    https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023
    https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    Let me know if you have any further Queries.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.