Transitioning to ACM certificates for SSL connections
Amazon Redshift is replacing the SSL certificates on your clusters with Amazon Certificate Manager (ACM)
This change affects you only if all of the following apply:
-
Your SQL clients or applications connect to Amazon Redshift clusters using SSL with the
sslMode
connection option set torequire
,verify-ca
, orverify-full
configuration option. -
You aren't using the Amazon Redshift ODBC or JDBC drivers, or you use Amazon Redshift drivers before ODBC version 1.3.7.1000 or JDBC version 1.2.8.1005.
If this change affects you on commercial Amazon Redshift Regions, then you must update your current trust root CA certificates before October 23, 2017. Amazon Redshift will transition your clusters to use ACM certificates between now and October 23, 2017. The change should have very little or no effect on your cluster's performance or availability.
If this change affects you on Amazon GovCloud (US) (US) Regions, then you must update your current trust root CA certificates before April 1, 2020 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.
Important
In the China Regions on January 5, 2021, Amazon Redshift is replacing the SSL certificates on your clusters with Amazon Certificate Manager (ACM) issued certificates. If this change affects you on China (Beijing) Region or China (Ningxia) Region, then you must update your current trust root CA certificates before January 5, 2021 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.
Using the latest Amazon Redshift ODBC or JDBC drivers
The preferred method is to use the latest Amazon Redshift ODBC or JDBC drivers. Amazon Redshift drivers beginning with ODBC version 1.3.7.1000 and JDBC version 1.2.8.1005 automatically manage the transition from an Amazon Redshift self-signed certificate to an ACM certificate. To download the latest drivers, see Configuring a connection for JDBC driver version 2.1 for Amazon Redshift.
If you use the latest Amazon Redshift JDBC driver, it's best not to use
-Djavax.net.ssl.trustStore
in JVM options. If you must use
-Djavax.net.ssl.trustStore
, import the Redshift certificate
authority bundle into the truststore it points to. For download information, see
SSL. For
more information, see Importing the Amazon Redshift
certificate authority bundle into a TrustStore.
Using earlier Amazon Redshift ODBC or JDBC drivers
-
If your ODBC DSN is configured with
SSLCertPath
, overwrite the certificate file in the specified path. -
If
SSLCertPath
is not set, then overwrite the certificate file namedroot.crt
in the driver DLL location.
If you must use an Amazon Redshift JDBC driver before version 1.2.8.1005, then do one of the following:
-
If your JDBC connection string uses the
sslCert
option, remove thesslCert
option. Then import the Redshift certificate authority bundle to your Java TrustStore. For download information, see SSL. For more information, see Importing the Amazon Redshift certificate authority bundle into a TrustStore. -
If you use the Java command line
-Djavax.net.ssl.trustStore
option, remove it from command line, if possible. Then import the Redshift certificate authority bundle to your Java TrustStore. For download information, see SSL. For more information, see Importing the Amazon Redshift certificate authority bundle into a TrustStore.
Importing the Amazon Redshift certificate authority bundle into a TrustStore
You can use redshift-keytool.jar
to import CA certificates in
the Amazon Redshift Certificate Authority bundle into a Java TrustStore or your private
truststore.
To import the Amazon Redshift certificate authority bundle into a TrustStore
-
Download redshift-keytool.jar
. -
Do one of the following:
-
To import the Amazon Redshift Certificate Authority bundle into a Java TrustStore, run the following command.
java -jar redshift-keytool.jar -s
-
To import the Amazon Redshift Certificate Authority bundle into your private TrustStore, run the following command:
java -jar redshift-keytool.jar -k
<your_private_trust_store>
-p<keystore_password>
-
Using other SSL connection types
Follow the steps in this section if you connect using any of the following:
-
Open source ODBC driver
-
Open source JDBC driver
-
The Amazon Redshift RSQL command line interface
-
Any language bindings based on libpq, such as psycopg2 (Python) and ruby-pg (Ruby)
To use ACM certificates with other SSL connection types:
-
Download the Amazon Redshift certificate authority bundle. For download information, see SSL.
-
Place the certificates from the bundle in your
root.crt
file.-
On Linux and macOS X operating systems, the file is
~/.postgresql/root.crt
. -
On Microsoft Windows, the file is
%APPDATA%\postgresql\root.crt
.
-