- Amazon DocumentDB
Updating Your Application and Amazon DocumentDB ClusterFrequently Asked Questions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).
Note

This information only applies to users in the GovCloud (US-West) region.

Updating Your Application and Amazon DocumentDB Cluster

Follow the steps in this section to update your application's CA certificate bundle (Step 1) and your cluster's server certificates (Step 2). Before you apply the changes to your production environments, we strongly recommend testing these steps in a development or staging environment.

Note

You must complete Steps 1 and 2 in each Amazon Web Services Region in which you have Amazon DocumentDB clusters.

Step 1: Download the New CA Certificate and Update Your Application

For examples of using a CA bundle with your application, see Encrypting Data in Transit and Connecting with TLS Enabled.

Note

Currently, the MongoDB Go Driver 1.2.1 only accepts one CA server certificate in sslcertificateauthorityfile. Please see Connecting with TLS Enabled for connecting to Amazon DocumentDB using Go when TLS is enabled.

Step 2: Update the Server Certificate

After the application has been updated to use the new CA bundle, the next step is to update the server certificate by modifying each instance in an Amazon DocumentDB cluster. To modify instances to use the new server certificate, see the following instructions.

Note

Updating your instances requires a reboot, which might cause service disruption. Before updating the server certificate, ensure that you have completed Step 1.

Using the Amazon Web Services Management Console

Complete the following steps to identify and rotate the old server certificate for your existing Amazon DocumentDB instances using the Amazon Web Services Management Console.

  1. Sign in to the Amazon Web Services Management Console, and open the Amazon DocumentDB console at https://console.amazonaws.cn/docdb.

  2. In the list of Regions in the upper-right corner of the screen, choose the Amazon Web Services Region in which your clusters reside.

  3. wh

    In the navigation pane on the left side of the console, choose Clusters.

  4. You may need to identify which instances are still on the old server certificate (rds-ca-2017). You can do this in the Certificate authority column which is hidden by default. To show the Certificate authority column, do the following:

    1. Choose the Settings icon.

      Image of the Clusters navigation box with the Settings icon highlighted.

    2. Under the list of visible columns, choose the Certificate authority column.

    3. Choose Confirm to save your changes.

  5. Now back in the Clusters navigation box, you’ll see the column Cluster Identifier. Your instances are listed under clusters, similar to the screenshot below.

    Image of the Clusters navigation box showing a list of existing cluster links and their corresponding instance links.

  6. Check the box to the left of the instance you are interested in.

  7. Choose Actions and then choose Modify.

  8. You can see a summary of the changes on the next page. Note that there is an extra alert to remind you to ensure that your application is using the latest certificate CA bundle before modifying the instance to avoid causing an interruption in connectivity.

  9. You can choose to apply the modification during your next maintenance window or apply immediately. If your intention is to modify the server certificate immediately, use the Apply Immediately option.

  10. Choose Modify instance to complete the update.

Using the Amazon CLI

Complete the following steps to identify and rotate the old server certificate for your existing Amazon DocumentDB instances using the Amazon CLI.

  1. To modify the instances immediately, execute the following command for each instance in the cluster.

  2. To modify the instances in your clusters to use the new CA certificate during your cluster’s next maintenance window, execute the following command for each instance in the cluster.

Frequently Asked Questions

The following are answers to some common questions about TLS certificates.

What if I have questions or issues?

If you have questions or issues, contact Amazon Web Services Support.

How do I know whether I'm using TLS to connect to my Amazon DocumentDB cluster?

You can determine whether your cluster is using TLS by examining the tls parameter for your cluster’s cluster parameter group. If the tls parameter is set to enabled, you are using the TLS certificate to connect to your cluster. For more information, see Managing Amazon DocumentDB cluster parameter groups.

Why are you updating the CA and server certificates?

What happens if I don't take any action by the expiration date?

If you are using TLS to connect to your Amazon DocumentDB cluster and you do not make the change by May 18, 2022, your applications that connect via TLS will no longer be able to communicate with the Amazon DocumentDB cluster.

Amazon DocumentDB will not rotate your database certificates automatically before expiration. You must update your applications and clusters to use the new CA certificates before or after the expiration date.

How do I know which of my Amazon DocumentDB instances are using the old/new server certificate?

To identify the Amazon DocumentDB instances that still use the old server certificate, you can use either the Amazon DocumentDB Amazon Web Services Management Console or the Amazon CLI.

To identify the instances in your clusters that are using the older certificate

  1. Sign in to the Amazon Web Services Management Console, and open the Amazon DocumentDB console at https://console.amazonaws.cn/docdb.

  2. In the list of Regions in the upper-right corner of the screen, choose the Amazon Web Services Region in which your instances reside.

  3. In the navigation pane on the left side of the console, choose Instances.

    1. Choose the Settings icon.

    2. Under the list of visible columns, choose the Certificate authority column.

    3. Choose Confirm to save your changes.

To identify the instances in your clusters that are using the older server certificate, use the describe-db-clusters command with the following .

aws docdb describe-db-instances \
    --filters Name=engine,Values=docdb \
    --query 'DBInstances[*].{CertificateVersion:CACertificateIdentifier,InstanceID:DBInstanceIdentifier}'

How do I modify individual instances in my Amazon DocumentDB cluster to update the server certificate?

We recommend that you update server certificates for all instances in a given cluster at the same time. To modify the instances in your cluster, you can use either the console or the Amazon CLI.

Note

Updating your instances requires a reboot, which might cause service disruption. Before updating the server certificate, ensure that you have completed Step 1.

  1. Sign in to the Amazon Web Services Management Console, and open the Amazon DocumentDB console at https://console.amazonaws.cn/docdb.

  2. In the list of Regions in the upper-right corner of the screen, choose the Amazon Web Services Region in which your clusters reside.

  3. In the navigation pane on the left side of the console, choose Instances.

  4. The Certificate authority column (hidden by default) shows which instances are still on the old server certificate (rds-ca-2017). To show the Certificate authority column, do the following:

    1. Choose the Settings icon.

    2. Under the list of visible columns, choose the Certificate authority column.

    3. Choose Confirm to save your changes.

  5. Select an instance to modify.

  6. Choose Actions and then choose Modify.

  8. You can see a summary of the changes on the next page. Note that there is an extra alert to remind you to ensure that your application is using the latest certificate CA bundle before modifying the instance to avoid causing an interruption in connectivity.

  9. You can choose to apply the modification during your next maintenance window or apply immediately.

  10. Choose Modify instance to complete the update.

Complete the following steps to identify and rotate the old server certificate for your existing Amazon DocumentDB instances using the Amazon CLI.

  1. To modify the instances immediately, execute the following command for each instance in the cluster.

  2. To modify the instances in your clusters to use the new CA certificate during your cluster’s next maintenance window, execute the following command for each instance in the cluster.

What happens if I add a new instance to an existing cluster?

What happens if there is an instance replacement or failover on my cluster?

If there is an instance replacement in your cluster, the new instance that is created continues to use the same server certificate that the instance was previously using. We recommend that you update server certificates for all instances at the same time. If a failover occurs in the cluster, the server certificate on the new primary is used.

If I'm not using TLS to connect to my cluster, do I still need to update each of my instances?

If you are not using TLS to connect to your Amazon DocumentDB clusters, no action is needed.

If I'm not using TLS to connect to my cluster but I plan to in the future, what should I do?

How can I be sure that I'm using the newest CA bundle?

For compatibility reasons, both old and new CA bundle files are named us-gov-west-1-bundle.pem. You can also use tools like openssl or keytool to inspect the CA bundle.

Why do I see "RDS" in the name of the CA bundle?

For certain management features, such as certificate management, Amazon DocumentDB uses operational technology that is shared with Amazon Relational Database Service (Amazon RDS).

If I applied the new server certificate, can I revert it back to the old server certificate?

If you need to revert an instance to the old server certificate, we recommend that you do so for all instances in the cluster. You can revert the server certificate for each instance in a cluster by using the Amazon Web Services Management Console or the Amazon CLI.

  1. Sign in to the Amazon Web Services Management Console, and open the Amazon DocumentDB console at https://console.amazonaws.cn/docdb.

  2. In the list of Regions in the upper-right corner of the screen, choose the Amazon Web Services Region in which your clusters reside.

  3. In the navigation pane on the left side of the console, choose Instances.

  4. Select an instance to modify. Choose Actions, and then choose Modify.

  6. Choose Continue to view a summary of your modifications.

  7. In this resulting page, you can choose to schedule your modifications to be applied in the next maintenance window or apply your modifications immediately. Make your selection, and choose Modify instance.

    Note

    If you choose to apply your modifications immediately, any changes in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime.

If you choose --no-apply-immediately, the changes will be applied during the cluster’s next maintenance window.

If I restore from a snapshot or a point in time restore, will it have the new server certificate ?

What if I’m having issues connecting directly to my Amazon DocumentDB cluster from Mac OS X Catalina?

Mac OS X Catalina has updated the requirements for trusted certificates. Trusted certificates must now be valid for 825 days or fewer (see https://support.apple.com/en-us/HT210176). Amazon DocumentDB instance certificates are valid for over four years, longer than the Mac OS X maximum. In order to connect directly to an Amazon DocumentDB cluster from a computer running Mac OS X Catalina, you must allow invalid certificates when creating the TLS connection. In this case, invalid certificates mean that the validity period is longer than 825 days. You should understand the risks before allowing invalid certificates when connecting to your Amazon DocumentDB cluster.

To connect to an Amazon DocumentDB cluster from OS X Catalina using the Amazon CLI, use the tlsAllowInvalidCertificates parameter.

mongo --tls --host <hostname> --username <username> --password <password> --port 27017 --tlsAllowInvalidCertificates