Rotating your SSL/TLS certificate
Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024. If you use or plan to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with certificate verification to connect to your RDS DB instances, you should consider using the new CA certificate rds-ca-rsa2048-g1. If you currently do not use SSL/TLS with certificate verification, you might still have an expired CA certificate and must update them to a new CA certificate if you plan to use SSL/TLS with certificate verification to connect to your RDS databases.
Follow these instructions to complete your updates. Before you update your DB instances to use the new CA certificate, make sure that you update your clients or applications connecting to your RDS databases.
Amazon RDS provides new CA certificates as an Amazon security best practice. For information about the new certificates and the supported Amazon Regions, see Using SSL/TLS to encrypt a connection to a DB instance.
Note
Amazon RDS Proxy uses certificates from the Amazon Certificate Manager (ACM). If you are using RDS Proxy, when you rotate your SSL/TLS certificate, you don't need to update applications that use RDS Proxy connections. For more information about using TLS/SSL with RDS Proxy, see Using TLS/SSL with RDS Proxy.
Note
If you are using a Go version 1.15 application with a DB instance that was created or updated to the rds-ca-2019
certificate prior to July 28, 2020, you must update the certificate again. Update the certificate to
rds-ca-rsa2048-g1. Run the modify-db-instance command shown
in the Amazon CLI section using the new CA certificate identifier. You can find the CAs that are available for a specific DB engine and DB engine
version using the describe-db-engine-versions command.
If you created your DB instance or updated its certificate after
July 28, 2020, no action is required. For more information, see
Go GitHub issue #39568
Topics
Updating your CA certificate by modifying your DB instance
The following example updates your CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1.
To update your CA certificate by modifying your DB instance
-
Download the new SSL/TLS certificate as described in Using SSL/TLS to encrypt a connection to a DB instance.
-
Update your applications to use the new SSL/TLS certificate.
The methods for updating applications for new SSL/TLS certificates depend on your specific applications. Work with your application developers to update the SSL/TLS certificates for your applications.
For information about checking for SSL/TLS connections and updating applications for each DB engine, see the following topics:
-
Updating applications to connect to MariaDB instances using new SSL/TLS certificates
-
Updating applications to connect to Microsoft SQL Server DB instances using new SSL/TLS certificates
-
Updating applications to connect to MySQL DB instances using new SSL/TLS certificates
-
Updating applications to connect to Oracle DB instances using new SSL/TLS certificates
-
Updating applications to connect to PostgreSQL DB instances using new SSL/TLS certificates
For a sample script that updates a trust store for a Linux operating system, see Sample script for importing certificates into your trust store.
Note
The certificate bundle contains certificates for both the old and new CA, so you can upgrade your application safely and maintain connectivity during the transition period. If you are using the Amazon Database Migration Service to migrate a database to a DB instance, we recommend using the certificate bundle to ensure connectivity during the migration.
-
-
Modify the DB instance to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1. To check if your database requires a restart to update the CA certificates, use the describe-db-engine-versions command and check the
SupportsCertificateRotationWithoutRestartflag.Important
If you are experiencing connectivity issues after certificate expiry, use the apply immediately option by specifying Apply immediately in the console or by specifying the
--apply-immediatelyoption using the Amazon CLI. By default, this operation is scheduled to run during your next maintenance window.To set an override for your instance CA that's different from the default RDS CA, use the modify-certificates CLI command.
You can use the Amazon Web Services Management Console or the Amazon CLI to change the CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance.
Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.
-
Choose Modify.
The Modify DB Instance page appears.
-
In the Connectivity section, choose rds-ca-rsa2048-g1.
-
Choose Continue and check the summary of modifications.
-
To apply the changes immediately, choose Apply immediately.
-
On the confirmation page, review your changes. If they are correct, choose Modify DB Instance to save your changes.
Important
When you schedule this operation, make sure that you have updated your client-side trust store beforehand.
Or choose Back to edit your changes or Cancel to cancel your changes.
To use the Amazon CLI to change the CA from
rds-ca-2019 to
rds-ca-rsa2048-g1 for a DB instance, call
the modify-db-instance command. Specify the DB instance
identifier and the --ca-certificate-identifier option.
Important
When you schedule this operation, make sure that you have updated your client-side trust store beforehand.
The following code modifies mydbinstance
by setting the CA certificate to rds-ca-rsa2048-g1.
Important
Use --apply-immediately to apply the update immediately. By default, this operation is
scheduled to run during your next maintenance window.
For Linux, macOS, or Unix:
aws rds modify-db-instance \ --db-instance-identifiermydbinstance\ --ca-certificate-identifier rds-ca-rsa2048-g1
For Windows:
aws rds modify-db-instance ^ --db-instance-identifiermydbinstance^ --ca-certificate-identifier rds-ca-rsa2048-g1
Note
If your instance
requires reboot, you can use the
modify-db-instance
CLI command and specify the --no-certificate-rotation-restart option.
Updating your CA certificate by applying DB instance maintenance
Complete the following steps to update your CA certificate by applying DB instance instance maintenance.
To update your CA certificate by applying DB instance maintenance
Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Databases.
In the navigation pane, there is a Certificate update option that shows the total number of affected DB instance.
Choose Certificate update in the navigation pane.
The Databases requiring certificate update page appears.
Note
This page only shows the DB instances for the current Amazon Region. If you have DB instance in more than one Amazon Region, check this page in each Amazon Region to see all DB instances with old SSL/TLS certificates.
-
Choose the DB instance you want to update.
You can schedule the certificate rotation for your next maintenance window by choosing Schedule. Apply the rotation immediately by choosing Apply now.
Important
If you experience connectivity issues after certificate expiry, use the Apply now option.
-
-
If you choose Schedule, you are prompted to confirm the CA certificate rotation. This prompt also states the scheduled window for your update.
-
If you choose Apply now, you are prompted to confirm the CA certificate rotation.
Important
Before scheduling the CA certificate rotation on your database, update any client applications that use SSL/TLS and the server certificate to connect. These updates are specific to your DB engine. After you have updated these client applications, you can confirm the CA certificate rotation.
To continue, choose the check box, and then choose Confirm.
-
-
Repeat steps 3 and 4 for each DB instance that you want to update.
Automatic server certificate rotation
If your CA supports automatic server certificate rotation, RDS automatically handles the rotation of the DB server certificate. RDS uses the same root CA for this automatic rotation, so you don't need to download a new CA bundle. See Certificate authorities.
The rotation and validity of your DB server certificate depend on your DB engine:
-
If your DB engine supports rotation without restart, RDS automatically rotates the DB server certificate without requiring any action from you. RDS attempts to rotate your DB server certificate in your preferred maintenance window at the DB server certificate half life. The new DB server certificate is valid for 12 months.
-
If your DB engine doesn't support rotation without restart, RDS notifies you about a maintenance event at least 6 months before the DB server certificate expires. The new DB server certificate is valid for 36 months.
Use the
describe-db-engine-versions command and inspect the
SupportsCertificateRotationWithoutRestart flag to identify
whether the DB engine version supports rotating the certificate without
restart. For more information, see Setting the CA for your database.
Sample script for importing certificates into your trust store
The following are sample shell scripts that import the certificate bundle into a trust store.
Each sample shell script uses keytool, which is part of the Java Development Kit (JDK). For information about
installing the JDK, see
JDK Installation Guide
Topics
Sample script for importing certificates on Linux
The following is a sample shell script that imports the certificate bundle into a trust store on a Linux operating system.
mydir=tmp/certs if [ ! -e "${mydir}" ] then mkdir -p "${mydir}" fi truststore=${mydir}/rds-truststore.jks storepassword=changeit curl -sS "https://rds-truststore.s3.cn-north-1.amazonaws.com.cn/global/global-bundle.pem" > ${mydir}/global-bundle.pem awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem for CERT in rds-ca-*; do alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print') echo "Importing $alias" keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt rm $CERT done rm ${mydir}/global-bundle.pem echo "Trust store content is: " keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias do expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'` echo " Certificate ${alias} expires in '$expiry'" done
Sample script for importing certificates on macOS
The following is a sample shell script that imports the certificate bundle into a trust store on macOS.
mydir=tmp/certs if [ ! -e "${mydir}" ] then mkdir -p "${mydir}" fi truststore=${mydir}/rds-truststore.jks storepassword=changeit curl -sS "https://rds-truststore.s3.cn-north-1.amazonaws.com.cn/global/global-bundle.pem" > ${mydir}/global-bundle.pem split -p "-----BEGIN CERTIFICATE-----" ${mydir}/global-bundle.pem rds-ca- for CERT in rds-ca-*; do alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print') echo "Importing $alias" keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt rm $CERT done rm ${mydir}/global-bundle.pem echo "Trust store content is: " keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias do expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'` echo " Certificate ${alias} expires in '$expiry'" done