This message is for Application Delivery Organizations (ADOs) that use applications integrated with Cloud Active Directory (AD).
Note: ADOs that connect to Cloud AD using Lightweight Directory Access Protocol over SSL/TLS (LDAPS TCP/636) will receive instructions in a separate message.
Summary
The Cloud AD root Certification Authority (CA) certificate used throughout the CMS Hybrid Cloud environment will expire on August 26, 2026.
To avoid authentication and service interruptions, the Cloud AD team will distribute the renewed root CA certificate starting in April 2026. This includes delivery through the April Gold Image (GI) release (April 17, 2026), standard group policy distribution, and automatic renewal cycles. Most ADO customers will receive the updated certificate automatically and do not need to take any action.
For LDAPS-connected ADO teams, the Cloud AD team will provide the renewed root CA certificate directly (beginning on April 1, 2026), so that teams can update their trust configurations before Monday, June 1, 2026. This will allow adequate time to complete the update before the certificate auto-renews on July 16, 2026.
Impact/Required actions
Most ADO customers (No action required)
Most ADO customers will receive the updated certificate automatically and do not need to take any action. The renewed root CA certificate will reach domain‑joined servers, workstations, instances, and Cloud AD–integrated applications automatically through the April GI release, standard group policy distribution, and automatic renewal cycles. No configuration changes are required for typical Cloud AD authentication or machine certificates.
LDAPS customers (Action required)
ADOs with applications or services that connect to Cloud AD using LDAPS must update their LDAPS trust chains to include the renewed root CA certificate before Monday, June 1, 2026. LDAPS customers who do not trust the renewed root CA certificate by the deadline will experience authentication failures on July 15, 2026, when Cloud AD systems begin automatic certificate renewal.
Auto-renewal
Certificates issued from Cloud AD templates will automatically renew on July 15, 2026, which is 6 weeks before the expiration date (August 26, 2026). Cloud AD servers and services will collectively switch to the renewed root CA certificate chain during the auto-renewal event.
Next steps
- Most ADO customers will receive the renewed certificate automatically and do not need to take any action.
- The Cloud AD team will communicate directly with LDAPS customers to renew the root CA certificate and provide instructions to update their LDAPS trust chains.
LDAPS identification
Please note: LDAPS usage can be dynamic, and not all LDAPS connections are always visible. The Cloud AD team cannot guarantee that your applications are not impacted if you are omitted from the initial outreach.
If your applications or systems use LDAPS or if you are unsure, immediately contact the Cloud AD team by email at CMS-CLOUD-AD-TEAM@cms.hhs.gov to confirm if there are required updates.
Support
For questions or concerns, contact the Cloud AD team at CMS-CLOUD-AD-TEAM@cms.hhs.gov. You can also contact your assigned Technical Advisor or submit a Hybrid Cloud support ticket.
|
