Replace an app’s WoSign root certificate with a DigiCert

As of April 11, 2017, to help protect the security of our customers' databases, Microsoft has replaced server-side WoSign certificates with DigiCert certificates. It is no longer possible to use your original WoSign certificate to initiate SSL links from the client side.

This decision came about because the use of WoSign CA certificates was called into question. Mozilla no longer trusted WoSign CA certificates that were issued after October 21, 2016. For a background analysis, see the official mozilla.org website: WoSign Issues.

This article documents the announcement of the April 11, 2017, change of certificate types.

If your app requires SSL connections, see the “Client-side root certificate replacement solutions” section of this article.

A brief history of the certificate changeover

This section presents a schedule of maintenance events as they were announced for April 11, 2017.

The expected maintenance start times are indicated below in Beijing time. We expect that maintenance will be completed within 10 minutes of the start time.

North China (Beijing Data Center): Tuesday, April 11, 11:20 AM (11:20 on Tuesday morning)

East China (Shanghai Data Center): Tuesday, April 11, 11:20 AM (11:20 on Tuesday morning)

Tip

Encrypting access to a database with SSL can ensure that your access is secure. We strongly recommend using encrypted connections for database communications. Please refer to the technical article Use SSL secure access for information on how to enable SSL.

Client-side root certificate replacement solutions

We offer two types of root certificate replacement solutions. You can choose which solution to implement based on your actual business situation. For your convenience, we have prepared a test environment that you can use to verify your configuration. For more information, see the “Verify your certificate configuration” section.

Solution 1: Use a WoSign + DigiCert hybrid certificate

Note

By using this solution, you can perform client-side upgrades at any time based on your business situation, without being affected by our maintenance periods. We recommend that you implement the following solution before April 11.

  1. Go to the official DigiCert website and download the DigiCertGlobalRootCA.cer certificate.

  2. Go to the official WoSign website and download the WS_CA1_NEW.cer certificate.

  3. Download and install OpenSSL.

  4. Put the two certificates downloaded in steps 1 and 2 in the ...\OpenSSL-Win32\bin directory.

  5. Use the openssl.exe command-line tool to convert DigiCertGlobalRootCA.cer to PEM format.

    OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

  6. Use the Windows command-line tool (CMD) to merge the two certificates into one.

    C:\OpenSSL-Win32\bin>type DigiCertGlobalRootCA.pem WS_CA1_NEW.cer > root_certs.pem

  7. Use the root_certs.pem file generated in step 6 to replace the WoSign certificate in your app.

These steps are provided solely for reference. You can also open the DigiCert certificate you converted into PEM format with Notepad and copy the entire contents of the certificate into WoSign. The multiple certificate format that is ultimately generated is shown below:

-----BEGIN CERTIFICATE-----
<WoSign证书密钥>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<DigiCert证书密钥>
-----END CERTIFICATE-----

Solution 2: Replace the original WoSign certificate with a single DigiCert certificate

Note

If you use this solution, you will be able to perform client-side upgrades only after we have completed our maintenance. Using this solution for client-side upgrades before then could make it impossible for your apps to successfully initiate SSL links.

  1. Go to the official DigiCert website and download the DigiCertGlobalRootCA.cer certificate.

  2. Download and install OpenSSL.

  3. Put the certificate downloaded in step 1 in the ...\OpenSSL-Win32\bin directory.

  4. Use the openssl.exe command-line tool to convert DigiCertGlobalRootCA.cer to PEM format.

    OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

  5. Use the DigiCertGlobalRootCA.pem file generated in step 4 to replace the WoSign certificate in your app.

Verify your certificate configuration

We have prepared two test environments for you, one for East China (Shanghai) and one for North China (Beijing). You can use these test environments to test new certificate configurations.

  • East China (Shanghai) host name: mysqlservice-sslverify-sha.chinacloudapp.cn

  • North China (Beijing) host name: mysqlservice-sslverify-bjb.chinacloudapp.cn

  • Port: 3306

  • Username: The usernames for instances awaiting testing are such that if the instance “myinstance” has the username “user,” you should enter “myinstance%user” here.>*

Note

You do not need to create a new instance. You can simply use the existing instance and account to configure the new SSL root certificate, connect to the test environments that we have prepared for you, and verify that the app is correctly configured. The test environments are provided for the sole purpose of verifying new certificate configurations. Do not produce system deployments in these environments. We might delete these test environments after the maintenance has been completed.

Taking mysql.exe (version 5.7.15) as an example, after the hybrid certificate configuration is in use, the SSL connection to the East China (Shanghai) test environment will look like the following screenshot:

Verify the SSL configuration