Replace an app’s WoSign root certificate with a DigiCert root certificate

Because the use of WoSign CA certificates was called into question, you must replace server-side WoSign certificates with DigiCert certificates. (Mozilla no longer trusts WoSign CA certificates issued after October 21, 2016. For more information, see WoSign Issues on the official mozilla.org website.)As of April 11 2017, to protect the security of your database, you can no longer use your original WoSign certificate to initiate SSL links from the client side.If your app requires SSL connections, please refer to the following section of this article: “Client-side root certificate replacement solutions.”

The expected maintenance start times are indicated below in Beijing time. **We expect that maintenance will be completed within 10 minutes of the start time. **

**Northern China (Beijing Data Center): **11:20AM on April 11, Tuesday

**Eastern China (Shanghai Data Center): **11:20AM on April 11, Tuesday

Encrypting access to a database with SSL can ensure that your access is secure.We strongly recommend that you use encrypted connections for database communications.For more information on how to enable SSL, see Use SSL secure access.

Client-side root certificate replacement solutions

We offer two types of root certificate replacement solutions.You can choose which solution to implement based on your actual business situation.We prepared test environments you can use to verify your configuration.For more information, see the section “Verify your certificate configuration.”

Solution 1: Use a WoSign + DigiCert hybrid certificate

**Note: **This solution allows you to perform client-side upgrades at any time based on your business situation.

  1. Download DigiCertGlobalRootCA.cer root certificate, go to the Digicert official website.

  2. To download the WS_CA1_NEW.cer root certificate, go to the WoSign official website.

  3. Download and install OpenSSL.

  4. Put the two certificates that you downloaded in steps 1 and 2 in the ...\OpenSSL-Win32\bin directory.

  5. Use the openssl.exe command line tool to convert the DigiCertGlobalRootCA.cer to PEM format:

    OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

  6. Use the Windows command line tool (CMD) to merge the two certificates into one:

    C:\OpenSSL-Win32\bin>type DigiCertGlobalRootCA.pem WS_CA1_NEW.cer > root_certs.pem

  7. Use the root_certs.pem file generated in step 6 to replace the WoSign certificate in your app.

These steps are provided solely for reference.You also can open the DigiCert certificate you converted into PEM format with Notepad. Then copy the entire contents of the certificate into WoSign.The multiple certificate format that is ultimately generated is shown here:

-----BEGIN CERTIFICATE-----
<WoSign证书密钥>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<DigiCert证书密钥>
-----END CERTIFICATE-----

Solution 2: Replace the original WoSign certificate with a single DigiCert certificate

**Note: **If you use this solution, you will only be able to perform client-side upgrades after we have completed our maintenance.Using this solution for client-side upgrades before then could make it impossible for your apps to successfully initiate SSL links.

  1. Download DigiCertGlobalRootCA.cer root certificate, go to the Digicert official website.

  2. Download and install OpenSSL.

  3. Put the certificate that you downloaded in step 1 in the ...\OpenSSL-Win32\bin directory.

  4. Use the openssl.exe command-line tool to convert DigiCertGlobalRootCA.cer to PEM format:

    OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

  5. Use the DigiCertGlobalRootCA.pem file generated in step 4 to replace the WoSign certificate in your app.

Verify your certificate configuration

We prepared two test environments for you: one for East China (Shanghai) and one for North China (Beijing). You can use these test environments to test new certificate configurations:

East China (Shanghai) host name: mysqlservice-sslverify-sha.chinacloudapp.cn

North China (Beijing) host name: mysqlservice-sslverify-bjb.chinacloudapp.cn

Port: 3306

Username: The usernames for instances awaiting testing are such that if the instance “myinstance” has the username “user,” you should enter “myinstance%user” here.

**Note: **You don’t need to create a new instance. You can simply use the existing instance and account to configure the new SSL root certificate. Connect to the test environments that we have prepared for you. Then verify that the app is correctly configured.The test environments are provided for the sole purpose of verifying new certificate configurations. Do not produce system deployments in these environments.We might delete these test environments.

Let’s take the mysql.exe (version 5.7.15) as an example. After the hybrid certificate configuration is in use, the SSL connection to the East China (Shanghai) test environment looks like following the screenshot below:

SSL configuration verification