Share via

Root certificates for Azure Database for MySQL Flexible Server are changing - I'm using the Microsoft Azure Appservice

MarkA 20 Reputation points
2025-06-30T00:26:42.0733333+00:00

Hi,

we got the notification that "Root certificates for Azure Database for MySQL Flexible Server are changing", we've setup a Wordpress AzureApp Service, 3 months ago and all settings were created by the Wordpress app service, using just the defaults mainly during setup. All working well.

After getting this email, I'm looking at the Azure Web App settings, configuration, variables, there is no section there for the database connection certificate or details, am I already covered as I can't find any settings for the certificate in this section of Azure , and also when looking at the wp-config.php file there is no mysqli_client_ssl certificate file there

Is there any way we can verify within the Azure Web Settings or on the files that the new certificate is in place given we've just created this Wordpress appservice service 3 months ago.

Thanks

Mark

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
9,007 questions
Accepted answer
  1. Bhargavi Naragani 6,700 Reputation points Microsoft External Staff Moderator
    2025-06-30T06:17:48.4633333+00:00

    Hi MarkA,

    Azure is updating the Certificate Authority (CA) root certificates that are used to establish secure SSL/TLS connections between your app (in this case, your WordPress app hosted on Azure App Service) and the Azure Database for MySQL Flexible Server.

    These certificates are important to ensure:

    • Secure encrypted traffic between your web app and database.
    • Trust validation using known CA root certificates.

    Starting October 2025, the older root certificates will no longer be trusted, and connections will fail if your app is not set up to trust the new ones.

    Since your WordPress App Service and MySQL Flexible Server were created recently (just 3 months ago), and you used the default connection settings, your setup likely uses the system-managed SSL trust store on the Linux App Service container.

    You mentioned you can see PEM files (certificate files) in the /etc/ssl/certs directory, that’s good. Azure App Service on Linux automatically keeps this directory updated with trusted CA certificates, including the new DigiCert Global Root G2, which is the one Microsoft is transitioning to.

    So, if you're:

    • Not explicitly using custom CA certificates, and
    • Not pinning to a specific certificate in your WordPress or MySQL config,

    Then you're already covered, and no action is required.

    https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation
    https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    Let me know if you have any further Queries.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ripin 11 Reputation points
    2025-06-30T05:28:10.71+00:00
    0 comments
  2. MarkA 20 Reputation points
    2025-07-02T11:53:46.0666667+00:00

    Thanks Bhargavi, not using custom certificates, just using the standards/default as it is adequate for our needs, and the website as well we opted for Microsoft managed certificate.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.