Using SSL/TLS to encrypt a connection to a DB instance - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using SSL/TLS to encrypt a connection to a DB instance

You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) from your application to encrypt a connection to a DB instance running MariaDB, Microsoft SQL Server, MySQL, Oracle, or PostgreSQL.

SSL/TLS connections provide one layer of security by encrypting data that moves between your client and a DB instance. Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance. It does so by checking the server certificate that is automatically installed on all DB instances that you provision.

Each DB engine has its own process for implementing SSL/TLS. To learn how to implement SSL/TLS for your DB instance, use the link following that corresponds to your DB engine:

Note

All certificates are only available for download using SSL/TLS connections.

To get a certificate bundle that contains both the intermediate and root certificates for the China (Beijing) Amazon Region or China (Ningxia) Amazon Region, downloaded at https://rds-truststore.s3.cn-north-1.amazonaws.com.cn/global/global-bundle.pem. If your application is on Microsoft Windows and requires a PKCS7 file, you can download the PKCS7 certificate bundle that contains both the intermediate and root certificates at https://rds-truststore.s3.cn-north-1.amazonaws.com.cn/global/global-bundle.p7b.

To get a certificate bundle that contains both the intermediate and root certificates for an Amazon Region, download from the link for the Amazon Region in the following table.

Amazon Region Certificate bundle (PEM) Certificate bundle (PKCS7)
China (Beijing) cn-north-1-bundle.pem cn-north-1-bundle.p7b
China (Ningxia) cn-northwest-1-bundle.pem cn-northwest-1-bundle.p7b