Request for Confirmation: Impact of IMDS Certificate Changes on Our Subscriptions

Question

Request for Confirmation: Impact of IMDS Certificate Changes on Our Subscriptions

Kapil 0

We received the recent notification regarding the upcoming IMDS attested data certificate changes. To ensure there is no impact on our production environment, I would like to request your confirmation.

Our production environment includes the following Azure components:

App Service
App Service Plan
Azure Database for MySQL Flexible Server
Managed Identity
Private Endpoint + Private DNS Zone
Virtual Network

We are not using any Virtual Machines, VM Scale Sets, or any custom application logic that relies on IMDS attested data or certificate pinning.

Additionally, our MySQL connection in the application uses SSL with the following configuration:

PDO::MYSQL_ATTR_SSL_CA => '/home/site/wwwroot/ssl/DigiCertGlobalRootG2.crt.pem',
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true/false (based on environment)

This CA file is used only for standard MySQL TLS verification. We would like confirmation on the following:

This SSL configuration does not count as certificate pinning for IMDS.
The IMDS attested data certificate changes will not affect Azure MySQL Flexible Server connections.
No action is required on our side for this configuration.

Could you please confirm whether the upcoming IMDS certificate changes will have any impact on our environment or if no action is required from our side?

Please let me know if any additional information is needed.

Praneeth Maddali 2,265 Reputation points Microsoft External Staff Moderator

2025-12-03T02:11:40.5+00:00
Hi @Kapil
Thank you for the detailed explanation it really helps clarify the situation.

In short: You have nothing to worry about. The upcoming changes to the IMDS attested data certificate will not affect your current setup, and you don't need to take any action.

Here’s a breakdown of the key points:

Your MySQL SSL configuration (PDO::MYSQL_ATTR_SSL_CA set to DigiCertGlobalRootG2.crt.pem) is standard TLS verification for the database. This is unrelated to IMDS or certificate pinning in the IMDS context, which only occurs when an application checks the signature on the /metadata/attested endpoint—usually in VM-based workloads or Marketplace image validation. Therefore, this is not IMDS pinning.

Azure Database for MySQL Flexible Server connections are not impacted by IMDS changes. IMDS is a VM-only metadata service, while MySQL Flexible Server uses the regular public Azure TLS certificate chain (currently rooted at DigiCert Global Root G2, with a planned move to new roots in 2025-2026).

Since you are not using VMs, VMSS, or custom code that accesses the IMDS attested endpoint, there are no updates required.

Reference :

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation

https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Praneeth Maddali 2,265 Reputation points Microsoft External Staff Moderator

2025-12-03T02:11:40.5+00:00

Hi @Kapil
Thank you for the detailed explanation it really helps clarify the situation.

In short: You have nothing to worry about. The upcoming changes to the IMDS attested data certificate will not affect your current setup, and you don't need to take any action.

Here’s a breakdown of the key points:

Your MySQL SSL configuration (PDO::MYSQL_ATTR_SSL_CA set to DigiCertGlobalRootG2.crt.pem) is standard TLS verification for the database. This is unrelated to IMDS or certificate pinning in the IMDS context, which only occurs when an application checks the signature on the /metadata/attested endpoint—usually in VM-based workloads or Marketplace image validation. Therefore, this is not IMDS pinning.

Azure Database for MySQL Flexible Server connections are not impacted by IMDS changes. IMDS is a VM-only metadata service, while MySQL Flexible Server uses the regular public Azure TLS certificate chain (currently rooted at DigiCert Global Root G2, with a planned move to new roots in 2025-2026).

Since you are not using VMs, VMSS, or custom code that accesses the IMDS attested endpoint, there are no updates required.

Reference :

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-root-certificate-rotation

https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

Your SSL configuration for the Azure Database for MySQL Flexible Server does not count as certificate pinning for IMDS. Certificate pinning typically involves explicitly specifying acceptable CAs for establishing secure connections, which is not the case with your current configuration that uses a CA file for standard MySQL TLS verification.
The upcoming IMDS attested data certificate changes will not affect Azure MySQL Flexible Server connections. The IMDS changes are primarily relevant to services and applications that rely on the Azure Instance Metadata Service, which does not include your MySQL connections.
No action is required on your side for this configuration. Since you are not using Virtual Machines or any custom application logic that relies on IMDS, your current setup should remain unaffected by the IMDS certificate changes.

If you have any further questions or need additional clarification, feel free to ask.

Share via

Request for Confirmation: Impact of IMDS Certificate Changes on Our Subscriptions

1 answer

Your answer