PostgreSQL Server TLS certificates

We run our own instance of Sonarqube.I have a task to research this alert.

I found this in the Azure Portal > Kubernetes service > Configuration > SONAR_JDBC_URL

Is this update something we would do or would it be in a future SonarQuve version?

Update your trusted root store for Azure Database for PostgreSQL – Flexible Server
The activity log alert issues-sh was triggered for the Azure subscription Platform Engineering - PROD.
View in Azure Service Health > []

You’re receiving this notice because you use Azure Database for PostgreSQL – Flexible Server
In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017 []. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA [].
• If your applications take advantage of verify-ca or verify-full as value of sslmode parameter [] in the database client connectivity they may be affected by this change and need to follow below directions to add new certificates to certificate store to maintain connectivity.
• If your connection string includes sslmode=disable, sslmode=allow, sslmode=prefer, or sslmode=require, you don’t need to update certificates. If you’re using a client that abstracts the connection string away, review the client’s documentation to understand whether it verifies certificates. To understand PostgreSQL sslmode, review the SSL mode descriptions [] in PostgreSQL documentation.
Required action
Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI []. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:
• keytool -importcert -alias PostgreSQLServerCACert -DigiCertGlobalRootCA.crt.pem -keystore truststore -storepass password -noprompt
• keytool -importcert -alias PostgreSQLServerCACert2 -file D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem -keystore truststore -storepass password -noprompt
Then, please replace the original keystore file with the new generated one:
• System.setProperty(“”,“pathtotruststorefile”);
• System.setProperty(“”,“password”);
For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSLCERTDIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSLCERTDIR. If any certificates don’t exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:
(Root CA1: DigiCertGlobalRootCA.crt.pem)
(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)
Replace the original root CA pem file with the combined root CA file and restart your application/client.
If you’re using SSL/TLS, you don’t need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required.
What is the impact if using App Service with Azure Database for PostgreSQL Flexible Server?
For Azure app services, connecting to Azure Database for PostgreSQL, we can have two possible scenarios and it depends on how on you’re using SSL with your application.
• This new certificate has been added to App Service at platform level. If you’re using the SSL certificates included on App Service platform in your application, no action is needed.
• If you’re explicitly including the path to SSL cert file in your code, you would then need to download the new cert and update the code to use the new cert. A good example of this scenario is when you use custom containers in App Service as shared in the App Service documentation [].
What is the impact if using Azure Kubernetes Services (AKS) with Azure Database for PostgreSQL?
If you’re trying to connect to the Azure Database for PostgreSQL using Azure Kubernetes Services (AKS), access from a dedicated customers host environment. Refer to the steps here [].
If I am using read replicas, do I need to perform this update only on the primary server, or the read replicas?
Since this update is a client-side change, if the client used to read data from the replica server, you need to apply the changes for those clients as well.
How can I check the certificate that is sent by the server?
There are many tools you can use. For example, DigiCert has a handy tool [] that shows you the certificate chain of any server name. This tool works with a publicly accessible server; it can’t connect to a server that is contained in a virtual network. Another tool you can use is OpenSSL in the command line. You can use this syntax to check certificates: openssl sclient -starttls postgres -showcerts -connect.
Help and support
If you have questions, please contact If you have a support plan and you need technical help, create a support request []:

  1. For Issue type, select Technical.
  2. For Subscription, select your subscription.
  3. For Service, select My Services.
  4. For Service type, select Azure Database for PostgreSQL flexible server.
  5. For Summary, type “SSL Root CA Upgrade”.
  6. For Problem type, select Security.
  7. For Problem subtype, select Data Encryption.
    Links provided herein may take you to a third-party website and are provided for convenience only. Third-party websites are subject to the third-party’s terms and privacy statements.
    Service Name Region
    Azure Database for PostgreSQL flexible servers Australia Central
    Australia East
    Australia Southeast
    Brazil South
    Canada Central
    Canada East
    Central India
    Central US
    Central US EUAP
    East Asia
    East US
    East US 2
    East US 2 EUAP
    France Central
    Germany West Central
    Japan East
    Japan West
    Jio India West
    Korea Central
    Korea South
    North Central US
    North Europe
    Norway East
    Qatar Central
    South Africa North
    South Central US
    South India
    Southeast Asia
    Sweden Central
    Switzerland North
    UAE North
    UK South
    UK West
    West Central US
    West Europe
    West US
    West US 2
    West US 3

You are receiving this alert notification from Microsoft Azure as a member of the ‘pe-prod-sh’ action group. To unsubscribe from emails directed to this action group click here. []

[] [] [] []

Privacy Statement []
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


This is not on the SonarQube side. You should look to Microsoft for answers.


When the Sonaqube app connects to Azure Database for PostgreSQL – Flexible Server

Does it use certificate pinning?

Does it take advantage of verify-ca or verify-full as value of sslmode parameter in the database client connectivity?


SonarQube does not do anything directly to enable SSL connection to the database, but rather allows the user to configure it through the jdbc URL parameter, by adding parameters like “ssl=true” for example. The details and requirements would depend on the database.
By default, the connection would not use SSL.
I hope that helps.

1 Like