Rotating SSL or TLS Certificate in AWS RDS

calendar Oct 23, 2019 · 2 min read  ·
Share on: linkedin copy

Rotating SSL/TLS Certificate

Current Certificate Expiry: If application connects to an RDS DB instance using Secure Socket Layer (SSL) or Transport Layer Security (TLS), certificate must be rotated before March 5, 2020

Problem Description: As of September 19, 2019, Amazon RDS has published new Certificate Authority (CA) certificates for connecting RDS DB instances using SSL/TLS. We provide these new CA certificates as an AWS security best practice.

Impact: The current CA certificates expire on March 5, 2020. Therefore, AWS strongly recommend completing this change as soon as possible (and no later than February 5, 2020), to avoid disruption on the expiration date. If the change is not completed, your applications will fail to connect to your RDS DB instances using SSL/TLS after March 5, 2020.

Steps to do this activity:

  • Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance.
  • Update your database applications to use the new SSL/TLS certificate.
  • Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019. This operation reboots your DB instance. By default, this operation is scheduled to run during your next maintenance window. Alternatively, you can choose to run it immediately.

Preventive Actions:

  • AWS recommends testing the steps listed above in a development or staging environment before taking them for your production environments.
  • Before you update your DB instances to use the new CA certificate, make sure that you update your clients or applications connecting to your RDS databases.
  • Any new RDS DB instances created after November 1, 2019 use the new certificates by default.
For Detailed Information visit below URL:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

https://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

In case you face any issue in updating the same or you have any queries write us on :
https://www.cloudlaramchari.com/contact/

I :heart: AWS! :smile: Enjoy