Share via

Regarding Root CA Changes for Azure SQL Database and Azure Database for MySQL

FU JIE ZHAO 80 Reputation points
2025-11-05T03:27:14.1+00:00

Hi Support,

The following two links contain the main content of this question:

Azure SQL: https://learn.microsoft.com/en-us/azure/azure-sql/updates/ssl-root-certificate-expiring?view=azuresql

Azure Database for MySQL: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation

The link mentions "To maintain our security and compliance standards, we start changing the root certificates for Azure Database for MySQL Flexible Server after September 1, 2025."

The required CA certificates for this change are:

  • DigiCert Global Root G2
  • Microsoft ECC Root Certificate Authority 2017
  • Microsoft RSA Root Certificate Authority 2017

Background: My application is written in Java and utilizes Azure SQL and MySQL. It is currently deployed on AKS. The base image in the Dockerfile is centos-java:1.8.

User's image

User's image

Issue: Before September 2025, I checked the Java Trusted Root Certificate Store in the base image file centos-java:1.8 as described in the Azure documentation.

It only contained the CA "DigiCert Global Root G2," and did not include the newly added "Microsoft ECC Root Certificate Authority 2017" and "Microsoft RSA Root Certificate Authority 2017."

User's imageUser's image

To cope with this change, before September, I changed the database connection parameters in my application to skip root certificate verification.

Azure SQL: encrypt=true;trustServerCertificate=true

Azure MySQL: useSSL=true&requireSSL=true&verifyServerCertificate=false

However, even now in November, when I tested removing these connection parameters, I found that I could still connect to the database, even though my base image file was missing "Microsoft ECC Root Certificate Authority 2017" and "Microsoft RSA Root Certificate Authority 2017."

Unlike others, which normally run Java programs using VMs, we are using AKS, with the node pool system running Ubuntu Linux, and the pods built on the base image centos-java:1.8.

What could be the reason for this? How should I do it correctly?

Azure SQL Database

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 26,251 Reputation points Volunteer Moderator
    2025-11-10T12:38:15.18+00:00

    Hello FU JIE ZHAO,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having issue affecting Azure SQL Database and Azure Database for MySQL, especially in Java applications deployed on AKS using a CentOS-based Docker image.

    The core issue stems from Azure’s announcement to rotate root certificates starting September 1, 2025, requiring applications to trust three specific CAs: DigiCert Global Root G2, Microsoft ECC Root Certificate Authority 2017, and Microsoft RSA Root Certificate Authority 2017 – https://learn.microsoft.com/en-us/azure/azure-sql/updates/ssl-root-certificate-expiring and https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation

    Your Java application behavior results from AKS nodes running Ubuntu Linux, which may provide system-level certificates accessible to containers. Java, depending on its configuration, can fall back to system CA stores, especially in OpenJDK-based environments. To confirm this, you should inspect the certificate chain using openssl from bash command via your Azure CLI:

    openssl s_client -connect <your-db-host>:<port> -starttls mysql

    This will reveal whether the required Microsoft root certificates are being sourced from the host OS rather than the container’s Java trust store.

    To ensure long-term compliance and secure connectivity, you must explicitly add the Microsoft ECC and RSA root certificates to the Java trust store within the Docker image. This can be done using the keytool utility:

    keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
 -storepass changeit -noprompt -alias ms-ecc-root \
 -file Microsoft_ECC_Root_Certificate_Authority_2017.crt
keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
 -storepass changeit -noprompt -alias ms-rsa-root \
 -file Microsoft_RSA_Root_Certificate_Authority_2017.crt

    Certificate files can be downloaded from Microsoft’s official repository:

    ECC Root: https://www.microsoft.com/pki/mscorp/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt

    RSA Root: https://www.microsoft.com/pki/mscorp/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt

    Once the certificates are added, re-enable strict certificate validation in the connection strings:

    For Azure SQL: encrypt=true;trustServerCertificate=false

    For Azure MySQL: useSSL=true&requireSSL=true&verifyServerCertificate=true

    Finally, the Docker image should be rebuilt and redeployed to AKS, ensuring the updated trust store is used. Monitoring should be implemented to detect SSL handshake failures and validate the certificate chain periodically. The original issue, any unexpected behavior will be resolved by the above and prepare your application for future enforcement of Azure’s certificate policies.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.