EducationSoftwareStrategy.com
StrategyCommunity

Knowledge Base

Product

Community

Knowledge Base

TopicsBrowse ArticlesDeveloper Zone

Product

Download SoftwareProduct DocumentationSecurity Hub

Education

Tutorial VideosSolution GalleryEducation courses

Community

GuidelinesGrandmastersEvents
x_social-icon_white.svglinkedin_social-icon_white.svg
Strategy logoCommunity

© Strategy Inc. All Rights Reserved.

LegalTerms of UsePrivacy Policy
  1. Home
  3. Topics

KB485897: Changing the Root CA certificate for Azure Database for PostgreSQL Single server.

Xiaodan Ma

Senior Cloud Support Engineer III • MicroStrategy

This article summarizes a change related to certificates performed by Microsoft that will affect Azure Database for PostgreSQL, as well as the course of action to be taken by customers.

Background:
As per the industry's compliance requirements, CA vendors began revoking CA certificates for non-compliant CAs, requiring servers to use certificates issued by compliant CAs, and signed by CA certificates from those compliant CAs. Since Azure Database for PostgreSQL used one of these non-compliant certificates, we needed to rotate the certificate to the compliant version to minimize the potential threat to your Postgres servers.
The new certificate is rolled out and in effect starting December 2022 (12/2022).
Thus, Azure Database for PostgreSQL Single Server is planning the root certificate change starting December 2022 (12/2022) as part of standard maintenance and security best practices.
For more information:
https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-certificate-rotation#client-certificate-update-recommendation
Starting December 2022, the BaltimoreCyberTrustRoot root certificatewill be replaced with a compliant version known as DigiCertGlobalRootG2 root certificate
Environments affected:

  • The existing Azure environments enabled with SSL/TLS with Strategy 2021 and higher versions.  It does not impact any new environments that will be deployed on Azure.

Code changes:

  • There are no code or application changes required on the client side. if you follow the certificate update recommendation below, you will still be able to continue to connect as long as BaltimoreCyberTrustRoot certificate isn't removed from the combined CA certificate.

Customer Action:

  • Download the two certificates from the links below:
    BaltimoreCyberTrustRoot root certificate
    DigiCertGlobalRootG2 root certificate
  • You can merge two CA certificate files like this format below into the same file located at /opt/mstr/Strategy/postgrescert/BaltimoreCyberTrustRoot.crt.pem
  • You can do it in the following way:
    • Open the new certificate
      cat DigiCertGlobalRootG2.pem
    • Copy the contents of the certificate
    • Open the BaltimoreCyberTrustRoot certificate and paste the copied certificate in the following way:

      -----BEGIN CERTIFICATE-----
      (Root CA1: BaltimoreCyberTrustRoot.crt.pem)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      (Root CA2: DigiCertGlobalRootG2.crt.pem)
      -----END CERTIFICATE-----
  • Restart the VMs (virtual machines) from the Azure Portal once the certificate is updated to reflect the above changes.

 

ka04W000000OcpMQAS_0EM4W000006yaCh.jpeg

 

Comment

0 comments

Details

Knowledge Article

Published:

January 16, 2023

Last Updated:

January 16, 2023