AWS RDS Certificate Authority update

Question

I recently received an email regarding a required update to my RDS Certificate Authority. The instructions on the RDS side seems straight forward: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

However on step 4 there was an important message, "When you schedule this operation, make sure that you have updated your client-side trust store beforehand."

I cant seem to find any information about updating my server which connects to RDS for the CA update.

My Setup is EC2 instances on Beanstalk.

Does anyone know how/what I am supposed to do?
Thank you.

similar question: Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk

Answer 1

This is how we are managing SSL communication from Elastic Beanstalk to an external RDS PostgreSQL database. We add the following config file to .ebextensions (.ebextensions/rds.config):

commands:
  01-create-folder:
    command: mkdir -p /home/webapp/.postgresql
  02-download-cert:
    command: aws s3 cp s3://rds-downloads/rds-ca-2019-root.pem /home/webapp/.postgresql/root.crt
  03-change-owner:
    command: chown webapp:webapp /home/webapp/.postgresql/root.crt
  04-change-mode:
    command: chmod 400 /home/webapp/.postgresql/root.crt

The file downloads the certificate from the public S3 folder and places in the .postgresql folder as the root certificate. We are having a Java application and the JDBC driver successfully connects to RDS with SSL enabled.

Answer 2

Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.

Server-side Usage

When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.

Client-side Usage

The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.

https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

This CA certificate is used to connect the rds server, e.g.

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

or add it to the Trusted Root CA for the client OS.

For example in Windows, you can run certmgr.msc and right-click the trusted root ca, import this certificate. In Mac, open keychain access and import this certificate. This is an option.

Answer 3

In order to change your CA Certificate on an Elastic Beanstalk environment by Amazon (AWS) do the following:

1. Log in to your console (https://console.aws.amazon.com/)
2. Click services and search for "RDS"
3. Inside RDS (RDS is where the databases from Beanstalk lives even though they are directly attached to the Beanstalk environment) click "Certificate Update" down in the right corner (there will be a very read notification on the link)
4. If you have any certificates to upgrade, they will show up here.
5. Click the RDS instance name (the weird aws name of the database server) aka "DB identifier"
6. (Well inside this you can see some more info about it under configuration), for instance your db username which could help you identify the instance if you have many and forgot to rename them.
7. Click Actions > Upgrade now (this will reboot your instance now) OR Actions > Upgrade at next window (choose this if you have a lot of traffic and many users, so it will be less disruptive ie not stop in the middle of the day but in the night according to the maintenance schedule of your location/server)
8. That's it. You do not need to install anything in your Beanstalk environment.