Replace an app’s WoSign root certificate with a DigiCert root certificate

Because the use of WoSign CA certificates was called into question, you must replace server-side WoSign certificates with DigiCert certificates (Mozilla no longer trusts WoSign CA certificates issued after October 21, 2016. For more information, see WoSign Issues on the official website.). In order to protect the security of customer databases, we replaced all server-side WoSign certificates with DigiCert certificates on April 11, 2017. After this maintenance has been performed, you will no longer be able to use your original WoSign certificate to initiate SSL links from the client side. If your apps need SSL connections enabled, you can do so using the procedure in this document.

Encrypting access to a database with SSL ensures that your access is secure. We strongly recommend that you use encrypted connections for database communications. For more information on how to enable SSL, see Use SSL secure access.

  1. Download DigiCertGlobalRootCA.cer root certificate, go to the Digicert official website.

  2. If you wish to download and install Win32 OpenSSL Light, click here to download.

  3. Put the certificate that you downloaded in step 1 in the ...\OpenSSL-Win32\bin directory.

  4. Use the openssl.exe command-line tool to convert DigiCertGlobalRootCA.cer to PEM format:

    OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

  5. Use the DigiCertGlobalRootCA.pem file generated in step 4 to replace the WoSign certificate in your app.

Taking mysql.exe (version 5.7.15) as an example, after you configure the DigiCert certificate, the SSL connections to the MySQL Database on Azure screen will appear as shown in the screenshot below.

SSL configuration verification