Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
Duplicate
Root Certificate Change - Unable to Connect w/o the legacy certificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 21%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Brice Bauer
0
Reputation points
The MySQL instance has an updated alert indicating that the certificate is changed. Which I understand to mean that I should no longer need the "DigiCert Global Root CA" to establish connectivity.
Following the guidance exactly - I'm trying to achieve getting MySQL workbench to connect to my database instance.
- Download the certificate files
- DigiCert Global Root G2
- Microsoft RSA Root Certificate Authority 2017
- Convert the 2017 crt to PEM (command from linked article)
openssl x509 -inform der -in MicrosoftRSARootCertificateAuthority2017.crt -out MicrosoftRSARootCertificateAuthority2017.crt.pem - Manually merge them to create a single file (using linked article as guidance)
- Unable to connect with error:
- If I add the DigiCert Global Root CA to my merged file so I now have 3 entries, I achieve connectivity.
My questions:
Am I correct that the banner on my instance is confirming that the new certs are available and I should no longer be required to utilize the old root CA cert to connect?
How can I perform testing will not lose connectivity as of August 1 since it doesn't seem to be possible to establish connectivity without the certificate that is being retired.
The steps seem extremely simple without much room for executing incorrectly - what are steps to solve my issue?
Azure Database for MySQL
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 60%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator2025-07-23T21:25:16.08+00:00 Hi Brice Bauer,
Greetings!!
It sounds like you're dealing with some certificate issues while trying to connect to your MySQL instance after an update.
Am I correct that the banner on my instance is confirming that the new certs are available and I should no longer be required to utilize the old root CA cert to connect?
Yes, the banner should indicate that the new certificates are available and the old one should not be used for connections anymore.
How can I perform testing will not lose connectivity as of August 1 since it doesn't seem to be possible to establish connectivity without the certificate that is being retired.
For testing without losing connectivity, you can set up a secondary environment or use a local instance of MySQL for tests until you are confident about the new setup before August 1.
The steps seem extremely simple without much room for executing incorrectly - what are steps to solve my issue?
Double-check the installation and merging of the certificates as mentioned above. If needed, you can also reinstall the previous certificate temporarily while troubleshooting.
I hope this information helps. Please do let us know if you have any further queries.
-
Brice Bauer 0 Reputation points
2025-07-24T11:31:13.4433333+00:00 Appreciate the attempt to help, but it's simply not working.
Go ahead and try the steps to establish connectivity, it won't work.
Validate Connectivity using current
- Download mySQL Workbench
- Use only the current DigitCertGlobalRootCA.crt.pem file
- Confirm connectivity is working.
Now try with the steps I've completed countless times.
- Download the G2.CRT.Pem
- Download the 2017.CRT
- Execute the command provided in the documentation to change it from crt to pem
- openssl x509 -inform der -in MicrosoftRSARootCertificateAuthority2017.crt -out MicrosoftRSARootCertificateAuthority2017.crt.pem
- Merge the 2 PEM files together
-
- Connectivity fails
-
Now include the replaced cert file [RootCA.crt.pem] in the merged.pem (which you confirmed should no longer be required) and connectivity is restored.
-
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator
2025-07-25T10:06:18.8+00:00 Hi Brice Bauer,
I kindly request you to please share the details requested in the private message for further troubleshooting.
-
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator
2025-07-31T16:50:24.45+00:00 Hi Brice Bauer,
Here is the latest document that certificate rotation for Azure Database for MySQL was postpone to Sep 1st.
Please check the document: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation
Thank you.
-
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator
2025-08-01T16:47:49.5+00:00 Hi Brice Bauer,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Brice Bauer 0 Reputation points
2025-08-04T11:26:18.4333333+00:00 @Mahesh Kurva This still isn't addressed. I've sent 3 private messages that haven't been responded to, perhaps you can check there?
Sign in to comment
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Mohammed 5 Reputation points Microsoft Employee2025-08-05T10:16:02.7166667+00:00 -
Mohammed 5 Reputation points Microsoft Employee
2025-08-05T10:19:35.99+00:00 Hi Brice,
Root certificate is not changed yet as mentioned above, it was postponed to Sep 1st, 2025.
After certificate change and server restarted, you can verify new one by running below command
bash:
openssl s_client -starttls mysql -connect SERVER_NAME.mysql.database.azure.com:3306 2>&1|grep '^issuer'powershell:
openssl s_client -starttls mysql -connect SERVER_NAME.mysql.database.azure.com:3306 2>&1|select-string 'issuer'output should be:
issuer=C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07if you see this output:
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CAthat indicate certificate was not changed.
New certificates require:
- Download the DigiCert Global Root G2 certificate.
- Download the Microsoft RSA Root Certificate Authority 2017 certificate
Old certificates require:
Download the DigiCert Global Root CA certificateTo avoid connectivity issues before and after certificate change, please combine all three certificates, and in that way, your application will not have connectivity issues when certificate is rotated.
-
Brice Bauer 0 Reputation points
2025-08-05T11:43:42.31+00:00 Your remarks are this is in conflict with previous Microsoft Staff members.
Why does the banner say "Certificate changed" if it's actually not?
In private messages they have told me to restart the server because the certificate is changed, but it still isn't updated. How will we actually know if/when our certificate is changed because the portal still says July 31 - when it's been delayed.
Is the proper guidance:
- Use 3 certificates until implementation is executed (Assuming 9/1 if no more delays)
- After 9/1 validate the command and remove the older cert?
-
Mohammed 5 Reputation points Microsoft Employee
2025-08-06T06:20:55.54+00:00 sorry about this confusion but banner was not updated about the new dates.
and after Sep 1s, even if certificate was updated, it will not take effect until server is rebooted.
and please consider in Sep 1s the process will start but it may take some time to reach your server, so it might take until mid of Sep.
So, if server was rebooted (either manual or via scheduled maintenance) in Sep, run openssl command to verify if the new certificate is installed or not.To address your points:
- Yes, but again, Sep 1s will start process, your server could take until mid of Sep.
- After server is rebooted (either manual or via planned maintenance), validate the command and remove old certificate.
Hope that clear things, thanks.
-
Mahesh Kurva 6,850 Reputation points Microsoft External Staff Moderator
2025-08-07T01:19:27.4133333+00:00 Hi Brice Bauer,
Following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know.
Sign in to comment