Azure Site Recovery - TLS Certificate Changes

Microsoft is updating Azure services to use Transport Layer Security (TLS) certificates from a different set of Root Certificate Authorities (CAs). We're making this change because the current CA certificates don't comply with one of the [CA/Browser Forum Baseline requirements](https://bugzilla.mozilla.org/show%5Fbug.cgi?id=1649951). Azure Site Recovery service endpoints will be updated in a phased transition across all public regions beginning on October 16 2020, and completing by October 26, 2020\. # Will this change affect me? This change will affect connectivity from on-premises configuration server/process servers (for physical/VMware VM replication), and from Hyper-V host servers/System Center VMM servers, to the Azure Site Recovery service. After the update, replication won't work as expected in the following scenarios: * If you're connecting to Site Recovery using Azure Private Links. * If you have an environment where firewall rules only allow outbound calls to specific Certificate Revocation List (CRL) download locations, and/or to Online Certificate Status Protocol (OCSP) verification locations. * Connectivity is needed to these CRL and OSCP URLs: * http://crl3.digicert.com * http://crl4.digicert.com * http://oscp.digicert.com * http://www.d-trust.net * http://root-c3-ca2.ocsp.d-trust.net * http://crl.microsoft.com * http://oneocsp.microsoft.com * http://ocsp.msocsp.com # # What should I do? * If your environment allows access to the URLs above, no action is needed. * If you already completed the required actions based on [prior instructions](https://docs.microsoft.com/azure/security/fundamentals/tls-certificate-changes), no further action is needed. * If your environment doesn't allow access to the URLs, consider allowing temporary access. This enables the Site Recovery configuration server/process server (VMware/physical machine replication), or Hyper-V host servers/VMM servers, to automatically update certificates once the update is available in your region. After the update you can turn off access to the URLs. * If your environment doesn't allow access and you don't want to enable temporary access, then [follow these steps](https://techcommunity.microsoft.com/t5/azure-storage/azure-storage-tls-changes-are-coming-and-why-you-care/ba-p/1705518) to manually install certificates on the relevant servers. You don't need to do anything on replicated machines. * Azure Site Recovery * Features * Security * [ Azure Site Recovery](https://azure.microsoft.com/en-gb/products/site-recovery/)