security updates

GennadNY · GennadNY · commit 731c3ea753fd · 2024-04-19T14:19:31.000-04:00
diff --git a/articles/postgresql/flexible-server/concepts-networking-ssl-tls.md b/articles/postgresql/flexible-server/concepts-networking-ssl-tls.md
@@ -112,12 +112,18 @@ Microsoft RSA Root Certificate Authority 2017  https://www.microsoft.com/pkiops/
 * Optionally, to prevent future disruption, it's also recommended to add the following roots to the trusted store:
   Microsoft ECC Root Certificate Authority 2017 - https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt
 
-Detailed information on updating client applications certificate stores with new Root CA certificates has been documented in this **[tutorial](../flexible-server/how-to-update-client-certificates-java.md)**. 
+To import certificates to client certificate stores you may have to convert certificate .crt files to .pem format, after downloading certificate files from URIs above. You can use OpenSSL utility to do these file conversions, as shown in example below:
+
+```powershell
+openssl x509 -in cert.crt -out cert.pem
+```
+
+**Detailed information on updating client applications certificate stores with new Root CA certificates has been documented in this [how-to document](../flexible-server/how-to-update-client-certificates-java.md)**. 
 
 ### Read Replicas with certificate pinning scenarios
 
 With Root CA migration to [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) it's feasible for newly created replicas to be on a newer Root CA certificate than primary server created earlier. 
-Therefore, for clients that use **verify-ca** and **verify-full** sslmode configuration settings, i.e. certificate pinning, is imperative for interrupted connectivity to accept **both** root CA certificates:
+Therefore, for clients that use **verify-ca** and **verify-full** sslmode configuration settings, that is, certificate pinning, is imperative for interrupted connectivity to accept **both** root CA certificates:
   * For connectivity to servers deployed to Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona):  [DigiCert Global Root G2](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) root CA certificates, as services are migrating from Digicert to Microsoft CA. 
   * For connectivity to servers deployed to Azure public cloud regions worldwide: [Digicert Global Root CA](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm), as services are migrating from Digicert to Microsoft CA.
 
@@ -133,7 +139,7 @@ You can use psql command line from your client to test connectivity to the serve
 $ psql "host=hostname.postgres.database.azure.com port=5432 user=myuser dbname=mydatabase sslmode=verify-full sslcert=client.crt sslkey=client.key sslrootcert=ca.crt"
 
 ```
-For more on ssl and certificate parameters you can follow [psql documentation](https://www.postgresql.org/docs/current/app-psql.html)
+For more on ssl and certificate parameters, you can follow [psql documentation.](https://www.postgresql.org/docs/current/app-psql.html)
 
 ## Testing SSL/TLS Connectivity
 
diff --git a/articles/postgresql/flexible-server/how-to-update-client-certificates-java.md b/articles/postgresql/flexible-server/how-to-update-client-certificates-java.md
@@ -18,6 +18,12 @@ ms.topic: conceptual
 
 Custom-written Java applications  use a default keystore, called *cacerts*, which contains trusted certificate authority (CA) certificates. It's also often known as Java trust store. A certificates file named *cacerts* resides in the security properties directory, java.home\lib\security, where java.home is the runtime environment directory (the jre directory in the SDK or the top-level directory of the Java™ 2 Runtime Environment).
 You can use following directions to update client root CA certificates for client certificate pinning scenarios with PostgreSQL Flexible Server:
+1. Check *cacerts* java keystore to see if it already contains required certificates. You can list certificates in Java keystore by using following command:
+  ```powershell
+    keytool -list -v -keystore </path/to/cacerts>
+  ```
+If necessary certificates are not present in the java key store on the client, you should proceed with following directions:
+   
 1. Make a backup copy of your custom keystore.
 2. Download [certificates](../flexible-server/concepts-networking-ssl-tls.md#downloading-root-ca-certificates-and-updating-application-clients-in-certificate-pinning-scenarios)
 3. Generate a combined CA certificate store with both Root CA certificates are included. Example below shows using DefaultJavaSSLFactory for PostgreSQL JDBC users.
@@ -48,9 +54,10 @@ You can use following directions to update client root CA certificates for clien
 
 For more information on configuring client certificates with PostgreSQL JDBC driver, see this [documentation.](https://jdbc.postgresql.org/documentation/ssl/)
 
+> [!NOTE]
+> To import certificates to client certificate stores you may have to convert certificate .crt files to .pem format. You ?..can use **[OpenSSL utility to do these file conversions](./concepts-networking-ssl-tls.md#downloading-root-ca-certificates-and-updating-application-clients-in-certificate-pinning-scenarios)**.
 
-
-## Get list of trusted certificates in Java Key Store
+## Get list of trusted certificates in Java Key Store programmatically
 
 As stated above, Java, by default, stores the trusted certificates in a special file named *cacerts* that is located inside  Java installation folder on the client.
 Example below first reads *cacerts* and loads it into *KeyStore* object:
