Merge pull request #271122 from GennadNY/gennadyk-branch24

prmerger-automator[bot] · web-flow · commit b39111c51d43 · 2024-04-03T20:23:48.000Z
Update concepts-networking-ssl-tls.md
diff --git a/articles/postgresql/flexible-server/concepts-networking-ssl-tls.md b/articles/postgresql/flexible-server/concepts-networking-ssl-tls.md
@@ -203,9 +203,17 @@ For other PostgreSQL client users, you can merge two CA certificate files like t
 (Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)
 -----END CERTIFICATE-----
 
+### Read Replicas with certificate pinning scenarios
+
+With Root CA migration to [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) it's feasible for newly created replicas to be on a newer Root CA certificate than primary server created earlier. 
+Therefore, for clients that use **verify-ca** and **verify-full** sslmode configuration settings, i.e. certificate pinning, is imperative for interrupted connectivity to accept **both** root CA certificates:
+  * For connectivity to servers deployed to Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona):  [DigiCert Global Root G2](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) root CA certificates, as services are migrating from Digicert to Microsoft CA. 
+  * For connectivity to servers deployed to Azure public cloud regions worldwide: [Digicert Global Root CA](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm), as services are migrating from Digicert to Microsoft CA.
+
+
 ## Testing SSL\TLS Connectivity
 
-Before trying to access your SSL enabled server from client application, make sure you can get to it via psql. You should see output similar to the following if you have established an SSL connection.
+Before trying to access your SSL enabled server from client application, make sure you can get to it via psql. You should see output similar to the following if you  established an SSL connection.
 
 
 *psql (14.5)*
