Share via

Changes in the root certificate rotation for Azure Database for MySQL

Cosmin Lupu 20 Reputation points
2025-07-08T11:29:10.7666667+00:00

Hello,

As part of the communication from here it was mentioned that on July 31st the DigiCert Global Root CA root certificate will be changed. When we implemented the described changed there is only a mention of one certificate needed ( DigiCert Global Root G2 ). Now the article was updated and there is a mention of two root certificate that will replace it:

  • DigiCert Global Root G2
  • Microsoft RSA Root Certificate Authority 2017

Is there a need for both of those certificates to be used when replacing the old DigiCert Global Root CA or should it be only one of them ?

We are using them on PHP applications connecting through SSL to databases on Azure Database for MySQL - Flexible Server.

Azure Database for MySQL
Answer accepted by question author
  1. Saraswathi Devadula 13,495 Reputation points Microsoft External Staff Moderator
    2025-07-08T13:01:30.61+00:00

    Hello Cosmin Lupu
    Based on the Azure documentation, specifically this part: **
    **
    You can identify whether your connections verify the root certificate by reviewing your connection string:

    If your connection string includes sslmode=verify-ca or sslmode=verify-identity, you need to update the trusted root certificates. You must deploy three root CA certificates to the client certificate store:

    • DigiCert Global Root G2 and Microsoft RSA Root CA 2017 root CA certificates, because services are migrating from Digicert to Microsoft CA.
    • Digicert Global Root CA, for legacy compatibility to avoid losing connections.
    • If your connection string includes sslmode=disable, sslmode=allow, sslmode=prefer, or sslmode=require, you don't need to update the trusted root certificates.
    • If your connection string doesn't specify sslmode, you don't need to update certificates.

    Please be informed that there will be no downtime on the database server side.
    User's image

    Reference document: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation#does-this-change-require-me-to-plan-maintenance-downtime-for-the-database-server

    Please make sure that your application is using the correct connection string to avoid connection failure.

    If you include the 3 certificates on your application server, without setting sslmode to verify-ca or verify-full (verify-identity), then the certificates will simply be on the server. there will be no problem at all.

    If SSL mode is not set to verify ca and verify identity. There is no point updating the certificate

    Pease do let me know if you have any further concerns. Thank you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.