Microsoft hits snooze again on security certificate renewal

Microsoft has expiration issues with its TLS certificates, resulting in unwanted security warnings.

An eagle-eyed Register reader from Australia brought the plight of cdn.uci.officeapps.live.com to our attention, which is listed at one of Microsoft’s worldwide endpoints for Microsoft 365 and Office Online. According to Microsoft, the address is default and requires network connectivity.

TLS Certificate information on cdn.uci.officeapps.live.com

TLS Certificate information on cdn.uci.officeapps.live.com

Our reader realized the situation when some security software began to bleat about the connection not being secure when using Microsoft Office.

A Transport Level Security (TLS) certificate is commonly used to secure internet connections with data encryption. According to DigiCert: “They ensure that data is transmitted privately and without modifications, loss or theft.” Assuming, of course, the certificate is valid.

In the case of cdn.uci.officeapps.live.com, it was valid from August 18, 2023, to June 27, 2024, and despite appearing in the list of Microsoft’s worldwide endpoints has now expired. The result will be headaches for administrators dealing with strange security errors popping up on some users’ screens and somebody within Microsoft doubtless being given a stern talking to.

The warning also noted that Microsoft Azure ECC TLS Issuing CA 01 has expired, which could spell problems for certificates issued by the service. The situation has not gone unnoticed on Microsoft’s own support forums, with one poster saying: “We have 200 PCs now giving this code when opening Word.”

Microsoft is no stranger to expiration whoopsies. In 2022, it forgot to renew the certificate for the web page of its Windows Insider subdomain, resulting in security warnings for its army of unpaid testers when they attempted to access the site.

The Register contacted Microsoft for comment and will update this piece should the company have anything to share. Microsoft previously announced plans to tackle its URL sprawl with a shift to cloud.microsoft.

Of the expiration, our reader mused: “I seem to remember this happening on many occasions in the past. It seems a bit strange that expiry dates for strategic systems such as website security certificates are not kept as a list in, say, a commonly used spreadsheet.”

If only Microsoft had access to something that could store and sort data in such a way.

We asked Microsoft Copilot how to handle the expiration of TLS certificates. It suggested monitoring expiration dates and renewing certificates before they expire.

It ended with a chirpy: “Remember, expired certificates can lead to service outages and unencrypted connections, affecting your organization’s reputation and customer relationships. Stay vigilant and keep those certificates up-to-date! ????” ®

READ MORE HERE