[Apfel]

https://www.digicert.com/support/certificate-revocation-inci...

Could it be potentially related to this?

[agwa]

Unlikely. Microsoft operates their own CAs. Although some of their CAs have been cross-signed by DigiCert, Microsoft is responsible for the domain validation.

[vb-8448]

I've always seen microsoft certificates signed by digicert, who knows.

[agwa]

You're probably seeing the root certificate, which is operated by DigiCert.

The intermediate CAs which issue the end-entity certificates are operated by Microsoft.

Figuring out who truly issued a certificate is tricky business: https://www.agwa.name/blog/post/the_certificate_issuer_field...

[vb-8448]

This is what i see for eg for outlook.com:

root issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

intermediate issuer: CN = DigiCert Global Root CA OU = www.digicert.com O = DigiCert Inc C = US

server certificate issuer: CN = DigiCert SHA2 Secure Server CA O = DigiCert Inc C = US

[agwa]

Interesting, that truly is issued by DigiCert.

The end-entity certificates I see for microsoft.com, azure.microsoft.com, portal.azure.com are all issued by:

C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 0X [where X varies]

In any case, I just analyzed DigiCert's CRLs and it doesn't look like they've done many revocations yet. These are the only CT-logged certs revoked in the last 24 hours with reason code 4 (required when domain validation is done improperly):

https://gist.github.com/AGWA/2d22a1a94ef80ccdb38e3248323f434...

I don't see any Microsoft/Azure domains in that list.