MicrosoftDocs
diff --git a/‎articles/mariadb/concepts-certificate-rotation.md
Lines changed: 14 additions & 8 deletions b/‎articles/mariadb/concepts-certificate-rotation.md
Lines changed: 14 additions & 8 deletions
diff --git a/‎articles/mariadb/concepts-ssl-connection-security.md
Lines changed: 4 additions & 1 deletion b/‎articles/mariadb/concepts-ssl-connection-security.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/mariadb/howto-configure-privatelink-cli.md
Lines changed: 1 addition & 1 deletion b/‎articles/mariadb/howto-configure-privatelink-cli.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/mysql/concepts-certificate-rotation.md
Lines changed: 14 additions & 8 deletions b/‎articles/mysql/concepts-certificate-rotation.md
Lines changed: 14 additions & 8 deletions
diff --git a/‎articles/mysql/concepts-infrastructure-double-encryption.md
Lines changed: 1 addition & 1 deletion b/‎articles/mysql/concepts-infrastructure-double-encryption.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/mysql/concepts-ssl-connection-security.md
Lines changed: 4 additions & 1 deletion b/‎articles/mysql/concepts-ssl-connection-security.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/mysql/howto-configure-privatelink-cli.md
Lines changed: 1 addition & 1 deletion b/‎articles/mysql/howto-configure-privatelink-cli.md
Lines changed: 1 addition & 1 deletion
@@ -10,7 +10,10 @@ ms.date: 09/02/2020
 
 # Understanding the changes in the Root CA change for Azure Database for MariaDB
 
-Azure Database for MariaDB will be changing the root certificate for the client application/driver enabled with SSL, use to [connect to the database server](concepts-connectivity-architecture.md). The root certificate currently available is set to expire October 26, 2020 (10/26/2020) as part of standard maintenance and security best practices. This article gives you more details about the upcoming changes, the resources that will be affected, and the steps needed to ensure that your application maintains connectivity to your database server.
+Azure Database for MariaDB will be changing the root certificate for the client application/driver enabled with SSL, use to [connect to the database server](concepts-connectivity-architecture.md). The root certificate currently available is set to expire February 15, 2021 (02/15/2021) as part of standard maintenance and security best practices. This article gives you more details about the upcoming changes, the resources that will be affected, and the steps needed to ensure that your application maintains connectivity to your database server.
+
+>[!NOTE]
+> Based on the feedback from customers we have extended the root certificate deprecation for our existing Baltimore Root CA from October 26th, 2020 till February 15, 2021. We hope this extension provide sufficient lead time for our users to implement the client changes if they are impacted.
 
 ## What update is going to happen?
 
@@ -19,12 +22,12 @@ In some cases, applications use a local certificate file generated from a truste
 As per the industry’s compliance requirements, CA vendors began revoking CA certificates for non-compliant CAs, requiring servers to use certificates issued by compliant CAs, and signed by CA certificates from those compliant CAs. Since Azure Database for MariaDB currently uses one of these non-compliant certificates, which client applications use to validate their SSL connections, we need to ensure that appropriate actions are taken (described below) to minimize the potential impact to your MariaDB servers.
 
 
-The new certificate will be used starting October 26, 2020 (10/26/2020).If you use either CA validation or full validation of the server certificate when connecting from a MySQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before October 26, 2020 (10/26/2020).
+The new certificate will be used starting February 15, 2021 (02/15/2021).If you use either CA validation or full validation of the server certificate when connecting from a MySQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before February 15, 2021 (02/15/2021).
 
 ## How do I know if my database is going to be affected?
 
 All applications that use SSL/TLS and verify the root certificate needs to update the root certificate. You can identify whether your connections verify the root certificate by reviewing your connection string.
--	If your connection string includes `sslmode=verify-ca` or `sslmode=verify-full`, you need to update the certificate.
+-	If your connection string includes `sslmode=verify-ca` or `sslmode=verify-identity`, you need to update the certificate.
 -	If your connection string includes `sslmode=disable`, `sslmode=allow`, `sslmode=prefer`, or `sslmode=require`, you do not need to update certificates. 
 -	If your connection string does not specify sslmode, you do not need to update certificates.
 
@@ -78,6 +81,9 @@ If you are using the Azure Database for MariaDB issued certificate as documented
 *	Invalid certificate/revoked certificate
 *	Connection timed out
 
+> [!NOTE]
+> Please do not drop or alter **Baltimore certificate** until the cert change is made. We will send a communication once the change is done, after which it is safe for them to drop the Baltimore certificate. 
+
 ## Frequently asked questions
 
 ###	1. If I am not using SSL/TLS, do I still need to update the root CA?
@@ -86,8 +92,8 @@ No actions required if you are not using SSL/TLS.
 ### 2. If I am using SSL/TLS, do I need to restart my database server to update the root CA?
 No, you do not need to restart the database server to start using the new certificate. Certificate update is a client-side change and the incoming client connections need to use the new certificate to ensure that they can connect to the database server.
 
-### 3. What will happen if I do not update the root certificate before October 26, 2020 (10/26/2020)?
-If you do not update the root certificate before October 26, 2020, your applications that connect via SSL/TLS and does verification for the root certificate will be unable to communicate to the MariaDB database server and application will experience connectivity issues to your MariaDB database server.
+### 3. What will happen if I do not update the root certificate before February 15, 2021 (02/15/2021)?
+If you do not update the root certificate before February 15, 2021 (02/15/2021), your applications that connect via SSL/TLS and does verification for the root certificate will be unable to communicate to the MariaDB database server and application will experience connectivity issues to your MariaDB database server.
 
 ### 4. What is the impact if using App Service with Azure Database for MariaDB?
 For Azure app services, connecting to Azure Database for MariaDB, we can have two possible scenarios and it depends on how on you are using SSL with your application.
@@ -105,11 +111,11 @@ For connector using Self-hosted Integration Runtime where you explicitly include
 ### 7. Do I need to plan a database server maintenance downtime for this change?
 No. Since the change here is only on the client side to connect to the database server, there is no maintenance downtime needed for the database server for this change.
 
-### 8.  What if I cannot get a scheduled downtime for this change before October 26, 2020 (10/26/2020)?
+### 8.  What if I cannot get a scheduled downtime for this change before February 15, 2021 (02/15/2021)?
 Since the clients used for connecting to the server needs to be updating the certificate information as described in the fix section [here](./concepts-certificate-rotation.md#what-do-i-need-to-do-to-maintain-connectivity), we do not need to a downtime for the server in this case.
 
-### 9. If I create a new server after October 26, 2020, will I be impacted?
-For servers created after October 26, 2020 (10/26/2020), you can use the newly issued certificate for your applications to connect using SSL.
+### 9. If I create a new server after February 15, 2021 (02/15/2021), will I be impacted?
+For servers created after February 15, 2021 (02/15/2021), you can use the newly issued certificate for your applications to connect using SSL.
 
 ###	10. How often does Microsoft update their certificates or what is the expiry policy?
 These certificates used by Azure Database for MariaDB are provided by trusted Certificate Authorities (CA). So the support of these certificates on Azure Database for MariaDB is tied to the support of these certificates by CA. However, as in this case, there can be unforeseen bugs in these predefined certificates, which need to be fixed at the earliest.
 
@@ -11,8 +11,11 @@ ms.date: 07/09/2020
 # SSL/TLS connectivity in Azure Database for MariaDB
 Azure Database for MariaDB supports connecting your database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application.
 
+>[!NOTE]
+> Based on the feedback from customers we have extended the root certificate deprecation for our existing Baltimore Root CA till February 15, 2021 (02/15/2021).
+
 > [!IMPORTANT] 
-> SSL root certificate is set to expire starting October 26th, 2020 (10/26/2020). Please update your application to use the [new certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem). To learn more , see [planned certificate updates](concepts-certificate-rotation.md)
+> SSL root certificate is set to expire starting February 15, 2021 (02/15/2021). Please update your application to use the [new certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem). To learn more , see [planned certificate updates](concepts-certificate-rotation.md)
 
 ## Default settings
 By default, the database service should be configured to require SSL connections when connecting to MariaDB.  We recommend to avoid disabling the SSL option whenever possible.
 
@@ -91,7 +91,7 @@ az network private-endpoint create \
     --resource-group myResourceGroup \  
     --vnet-name myVirtualNetwork  \  
     --subnet mySubnet \  
-    --private-connection-resource-id $(az resource show -g myResourcegroup -n mydemoserver --resource-type "Microsoft.DBforMariaDB/servers" --query "id") \    
+    --private-connection-resource-id $(az resource show -g myResourcegroup -n mydemoserver --resource-type "Microsoft.DBforMariaDB/servers" --query "id" -o tsv) \    
     --group-id mariadbServer \  
     --connection-name myConnection  
  ```
 
@@ -10,20 +10,23 @@ ms.date: 09/02/2020
 
 # Understanding the changes in the Root CA change for Azure Database for MySQL
 
-Azure Database for MySQL will be changing the root certificate for the client application/driver enabled with SSL, used to [connect to the database server](concepts-connectivity-architecture.md). The root certificate currently available is set to expire October 26, 2020 (10/26/2020) as part of standard maintenance and security best practices. This article gives you more details about the upcoming changes, the resources that will be affected, and the steps needed to ensure that your application maintains connectivity to your database server.
+Azure Database for MySQL will be changing the root certificate for the client application/driver enabled with SSL, used to [connect to the database server](concepts-connectivity-architecture.md). The root certificate currently available is set to expire February 15, 2021 (02/15/2021) as part of standard maintenance and security best practices. This article gives you more details about the upcoming changes, the resources that will be affected, and the steps needed to ensure that your application maintains connectivity to your database server.
+
+>[!NOTE]
+> Based on the feedback from customers we have extended the root certificate deprecation for our existing Baltimore Root CA from October 26th, 2020 till February 15, 2021. We hope this extension provide sufficient lead time for our users to implement the client changes if they are impacted.
 
 ## What update is going to happen?
 
 In some cases, applications use a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. Currently customers can only use the predefined certificate to connect to an Azure Database for MySQL server, which is located [here](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem). However, [Certificate Authority (CA) Browser forum](https://cabforum.org/) recently published reports of multiple certificates issued by CA vendors to be non-compliant.
 
 As per the industry’s compliance requirements, CA vendors began revoking CA certificates for non-compliant CAs, requiring servers to use certificates issued by compliant CAs, and signed by CA certificates from those compliant CAs. Since Azure Database for MySQL currently uses one of these non-compliant certificates, which client applications use to validate their SSL connections, we need to ensure that appropriate actions are taken (described below) to minimize the potential impact to your MySQL servers.
 
-The new certificate will be used starting October 26, 2020 (10/26/2020).If you use either CA validation or full validation of the server certificate when connecting from a MySQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before October 26, 2020 (10/26/2020).
+The new certificate will be used starting February 15, 2021 (02/15/2021).If you use either CA validation or full validation of the server certificate when connecting from a MySQL client (sslmode=verify-ca or sslmode=verify-full), you need to update your application configuration before February 15, 2021 (03/15/2021).
 
 ## How do I know if my database is going to be affected?
 
 All applications that use SSL/TLS and verify the root certificate needs to update the root certificate. You can identify whether your connections verify the root certificate by reviewing your connection string.
--	If your connection string includes `sslmode=verify-ca` or `sslmode=verify-full`, you need to update the certificate.
+-	If your connection string includes `sslmode=verify-ca` or `sslmode=verify-identity`, you need to update the certificate.
 -	If your connection string includes `sslmode=disable`, `sslmode=allow`, `sslmode=prefer`, or `sslmode=require`, you do not need to update certificates. 
 -  If using Java connectors and your connection string includes useSSL=false or requireSSL=false, you do not need to update certificates.
 -	If your connection string does not specify sslmode, you do not need to update certificates.
@@ -79,6 +82,9 @@ If you are using the Azure Database for MySQL issued certificate as documented h
 *	Invalid certificate/revoked certificate
 *	Connection timed out
 
+> [!NOTE]
+> Please do not drop or alter **Baltimore certificate** until the cert change is made. We will send a communication once the change is done, after which it is safe for them to drop the Baltimore certificate. 
+
 ## Frequently asked questions
 
 ###	1. If I am not using SSL/TLS, do I still need to update the root CA?
@@ -87,8 +93,8 @@ No actions required if you are not using SSL/TLS.
 ### 2. If I am using SSL/TLS, do I need to restart my database server to update the root CA?
 No, you do not need to restart the database server to start using the new certificate. This root certificate is a client-side change and the incoming client connections need to use the new certificate to ensure that they can connect to the database server.
 
-### 3. What will happen if I do not update the root certificate before October 26, 2020 (10/26/2020)?
-If you do not update the root certificate before October 26, 2020, your applications that connect via SSL/TLS and does verification for the root certificate will be unable to communicate to the MySQL database server and application will experience connectivity issues to your MySQL database server.
+### 3. What will happen if I do not update the root certificate before February 15, 2021 (02/15/2021)?
+If you do not update the root certificate before February 15, 2021 (02/15/2021), your applications that connect via SSL/TLS and does verification for the root certificate will be unable to communicate to the MySQL database server and application will experience connectivity issues to your MySQL database server.
 
 ### 4. What is the impact if using App Service with Azure Database for MySQL?
 For Azure app services, connecting to Azure Database for MySQL, we can have two possible scenarios and it depends on how on you are using SSL with your application.
@@ -106,11 +112,11 @@ For connector using Self-hosted Integration Runtime where you explicitly include
 ### 7. Do I need to plan a database server maintenance downtime for this change?
 No. Since the change here is only on the client side to connect to the database server, there is no maintenance downtime needed for the database server for this change.
 
-### 8.  What if I cannot get a scheduled downtime for this change before October 26, 2020 (10/26/2020)?
+### 8.  What if I cannot get a scheduled downtime for this change before February 15, 2021 (02/15/2021)?
 Since the clients used for connecting to the server needs to be updating the certificate information as described in the fix section [here](./concepts-certificate-rotation.md#what-do-i-need-to-do-to-maintain-connectivity), we do not need to a downtime for the server in this case.
 
-### 9. If I create a new server after October 26, 2020, will I be impacted?
-For servers created after October 26, 2020 (10/26/2020), you can use the newly issued certificate for your applications to connect using SSL.
+### 9. If I create a new server after February 15, 2021 (02/15/2021), will I be impacted?
+For servers created after February 15, 2021 (02/15/2021), you can use the newly issued certificate for your applications to connect using SSL.
 
 ###	10. How often does Microsoft update their certificates or what is the expiry policy?
 These certificates used by Azure Database for MySQL are provided by trusted Certificate Authorities (CA). So the support of these certificates on Azure Database for MySQL is tied to the support of these certificates by CA. However, as in this case, there can be unforeseen bugs in these predefined certificates, which need to be fixed at the earliest.
 
@@ -15,7 +15,7 @@ Azure Database for MySQL uses storage [encryption of data at-rest](concepts-secu
 Infrastructure double encryption adds a second layer of encryption using service-managed keys. It uses FIPS 140-2 validated cryptographic module, but with a different encryption algorithm. This provides an additional layer of protection for your data at rest. The key used in Infrastructure double encryption is also managed by the Azure Database for MySQL service. Infrastructure double encryption is not enabled by default since the additional layer of encryption can have a performance impact.
 
 > [!NOTE]
-> This feature is available in all Azure regions where Azure Database for MySQL supports "General Purpose" and "Memory Optimized" pricing tiers.
+> This feature is only supported for "General Purpose" and "Memory Optimized" pricing tiers in Azure Database for PostgreSQL.
 
 Infrastructure Layer encryption has the benefit of being implemented at the layer closest to the storage device or network wires. Azure Database for MySQL implements the two layers of encryption using service-managed keys. Although still technically in the service layer, it is very close to hardware that stores the data at rest. You can still optionally enable data encryption at rest using [customer managed key](concepts-data-encryption-mysql.md) for the provisioned MySQL server. 
 
 
@@ -15,8 +15,11 @@ Azure Database for MySQL supports connecting your database server to client appl
 > [!NOTE]
 > Updating the `require_secure_transport` server parameter value does not affect the MySQL service's behavior. Use the SSL and TLS enforcement features outlined in this article to secure connections to your database.
 
+>[!NOTE]
+> Based on the feedback from customers we have extended the root certificate deprecation for our existing Baltimore Root CA till February 15, 2021 (02/15/2021).
+
 > [!IMPORTANT] 
-> SSL root certificate is set to expire starting October 26th, 2020 (10/26/2020). Please update your application to use the [new certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem). To learn more , see [planned certificate updates](concepts-certificate-rotation.md)
+> SSL root certificate is set to expire starting February 15, 2021 (02/15/2021). Please update your application to use the [new certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem). To learn more , see [planned certificate updates](concepts-certificate-rotation.md)
 
 ## SSL Default settings
 
 
@@ -87,7 +87,7 @@ az network private-endpoint create \
     --resource-group myResourceGroup \  
     --vnet-name myVirtualNetwork  \  
     --subnet mySubnet \  
-    --private-connection-resource-id $(az resource show -g myResourcegroup -n mydemoserver --resource-type "Microsoft.DBforMySQL/servers" --query "id") \    
+    --private-connection-resource-id $(az resource show -g myResourcegroup -n mydemoserver --resource-type "Microsoft.DBforMySQL/servers" --query "id" -o tsv) \    
     --group-id mysqlServer \  
     --connection-name myConnection  
  ```