root certificate rotation for Azure Database for MySQL

Question

root certificate rotation for Azure Database for MySQL

Sahan Jayasinghe 0

Hi,

We have Azure Database for MySQL flexible server deployed and I received the below email.

Root certificates for Azure Database for MySQL Flexible Server are changing 31 July 2025

We have a laravel application currently running using the DigiCertGlobalRootCA.crt.pem certificate to connect to the database.

When I tried to connect to the database via DBeaver using the DigiCertGlobalRootG2.crt.pem certificate and I was not able to connect. Could you please let me know what needs to be done? is the DigiCertGlobalRootG2.crt.pem certificate operational now?

Regards,

Sahan Jayasinghe

Lead DevOps Engineer

Harish Reddy Nimma 0 Reputation points Microsoft External Staff Moderator

2025-06-26T10:21:17.36+00:00

Hi Sahan Jayasinghe,

Just checking in to see if the below answer provided by @Michele Ariis helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

2 answers

Your answer

Harish Reddy Nimma 0 Reputation points Microsoft External Staff Moderator

2025-06-26T10:21:17.36+00:00

Hi Sahan Jayasinghe,

Just checking in to see if the below answer provided by @Michele Ariis helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Michele Ariis 1,960 MVP

Hi, Azure MySQL today still has the chain ending on DigiCert Global Root CA (SHA-1), so the new DigiCert Global Root G2 (SHA-256) only works after July 31, 2025: to avoid interruptions download both certificates, concatenate them in a single azure-mysql-flex-bundle.pem file, configure Laravel/PHP indicating that bundle as MYSQL_ATTR_SSL_CA (or in the .env with DB_SSL_MODE=verify_ca) and do the same in DBeaver in the “CA file” field; verify with openssl s_client -connect <server>:3306 -starttls mysql -CAfile azure-mysql-flex-bundle.pem until you get “Verify return code: 0”.

The day the server switches to G2 the connection will continue to work without downtime; when you are sure of the rotation you can delete the old SHA-1 root from the bundle, but it is not mandatory.

Sahan Jayasinghe 0 Reputation points

2025-06-27T04:21:00.1466667+00:00

Hi Michele,

Could you please guide me on how to concatenate the two certificates? Will it be as below

-----BEGIN CERTIFICATE-----

DigiCertGlobalRootCA.crt.pem content

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

DigiCertGlobalRootG2.crt.pem content

-----END CERTIFICATE-----
Michele Ariis 1,960 Reputation points MVP

2025-06-27T06:22:43.2266667+00:00
Yes, you're on the right track, that's exactly how it should look.

You just need to concatenate all root certificates that Azure may chain to, one after the other in a single .pem file, with exactly one blank line between each -----END CERTIFICATE----- and the next -----BEGIN CERTIFICATE-----.

So the final file should look like this:

-----BEGIN CERTIFICATE----- <contents of DigiCertGlobalRootCA.crt.pem> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <contents of DigiCertGlobalRootG2.crt.pem> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <contents of MicrosoftRSARootCertificateAuthority2017.crt.pem> -----END CERTIFICATE-----

Let me know if you need the third one (Microsoft RSA Root 2017) or help building the full bundle.

Answer 2

Hi Sahan Jayasinghe

Thanks for reaching out to Microsoft Q&A.

As per the latest updates - To maintain security and compliance standards, we'll begin changing the root certificates for Azure Database for MySQL Flexible Server after 31 July 2025.

The current root certificate DigiCert Global Root CA will be replaced by two new ones:

DigiCert Global Root G2
Microsoft RSA Root Certificate Authority 2017

Kindly follow this document on how to merge the CA certificates - https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation

How to update the root certificate store on your client

To ensure that your applications can connect to Azure Database for MySQL after the root certificate rotation, you need to update the root certificate store on your client. This is necessary if you're using SSL/TLS with root certificate verification.

The following steps guide you through the process of updating the root certificate store on your client:

Download the three root certificates. If you have installed the DigiCert Global Root CA certificate, you can skip the first download:

Download the DigiCert Global Root CA certificate
- Download the DigiCert Global Root G2 certificate.
  - Download the Microsoft RSA Root Certificate Authority 2017 certificate.

Add the downloaded certificates to your client certificate store. The process varies depending on the client type
- For Java users, run these commands to create a new trusted root certificate store: BashCopy
```
     keytool -importcert -alias MySqlFlexServerCACert  -file digiCertGlobalRootCA.crt.pem  -keystore truststore -storepass password -noprompt
```

keytool -importcert -alias MySqlFlexServerCACert2 -file digiCertGlobalRootG2.crt.pem -keystore truststore -storepass password -noprompt keytool -importcert -alias MicrosoftRSARootCert2017 -file MicrosoftRSARootCertificateAuthority2017.crt -keystore truststore -storepass password -noprompt ```

 Then replace the original keystore file with the newly generated one:
 
- `System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");`

- `System.setProperty("javax.net.ssl.trustStorePassword","password");`

For Java users, run these commands to add the new trusted root certificates to an existing trusted root certificate store: BashCopy

     keytool -importcert -alias MySqlFlexServerCACert2  -file digiCertGlobalRootG2.crt.pem -keystore truststore -storepass password -noprompt

keytool -importcert -alias MicrosoftRSARootCert2017 -file MicrosoftRSARootCertificateAuthority2017.crt -keystore truststore -storepass password -noprompt ```

 There is no need change the `javax.net.ssl.trustStore` and `javax.net.ssl.trustStorePassword` properties if you are updating an existing keystore.

For .NET users on Windows, make sure that DigiCert Global Root CA, DigiCert Global Root G2 and Microsoft RSA Root Certificate Authority 2017 exist in the Windows certificate store under Trusted Root Certification Authorities. If any certificate doesn't exist, import it.
For .NET users on Linux who are using SSL_CERT_DIR, make sure that DigiCertGlobalRootCA.crt.pem, DigiCertGlobalRootG2.crt.pem and Microsoft RSA Root Certificate Authority 2017.crt.pem exist in the directory indicated by SSL_CERT_DIR. If any certificate doesn't exist, create the missing certificate file. Convert the Microsoft RSA Root Certificate Authority 2017.crt certificate to PEM format by running the following command: BashCopy
```
     openssl x509 -inform der -in MicrosoftRSARootCertificateAuthority2017.crt -out MicrosoftRSARootCertificateAuthority2017.crt.pem
```
For other (MySQL Workbench, C, C++, Go, Python, Ruby, PHP, Node.js, Perl, or Swift) users, you can merge the CA certificate files in this format: OutputCopy
```
     -----BEGIN CERTIFICATE-----
```

(Root CA1:DigiCertGlobalRootCA.crt.pem) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root CA2: DigiCertGlobalRootG2.crt.pem) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root CA3: .crt.pem) -----END CERTIFICATE-----

```

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

root certificate rotation for Azure Database for MySQL

2 answers

Your answer