Reputation: 667
Which method to use for updating CA certificates for AWS RDS
I currently need to update the CA certificates for my AWS RDS instance, and as far as I am aware there are two ways to do this: by modifying my DB instance or by applying DB instance maintenance (source: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html).
Does it matter which method I choose? Is one way particularly better than the other/better in some circumstances?
Upvotes: 2
Views: 4916
Answers (2)
Reputation: 961
In both methods, it is given that the RDS instance needs a reboot (read as outage!).
In our case, the RDS client application (java-based) had troubles re-establishing JDBC/SSL connection with the rebooted RDS instance (after CA upgrade), so we had to manually trigger a restart of RDS client application to bring the situation to normalcy. Hence, we need to exactly know at what point RDS CA upgrade was complete.
Hence, the workflow would be like this:
1/ Add CA (2019) to your client application's trust store first!
2/ On the RDS side, use 'Apply Immediately' option in lower environments (in Production, we also used 'Apply Immediately' but executed it during the approved maintenance window).
3/ Wait for a few minutes for AWS to apply CA and reboot the RDS instance.
4/ Go and perform post-actions like restart your client application (if needed) and regression tests.
In this way, we were able to limit the outage to a couple of minutes.
Alert: If we would have chosen 'Apply during maintenance window' option, we would not have been 'in control' of at what point AWS would upgrade RDS (CA) because AWS may choose any point in time during the maintenance window specified to perform the upgrade, it is not guaranteed to be at the start of maintenance window.
Hope this helps!
Upvotes: 2
Reputation: 13632
I like to test the update manually by modifying the DB instance in a test environment. Then I confirm any dependent software, and make sure that everything is working.
Then in production I let it modify during the maintenance window update. Since this change requires a reboot, I let it apply during my 3 a.m. Sunday maintenance window.
So both methods are handy depending on your needs. The end result is identical.
Upvotes: 0
Related Questions
- Using AWS CDK and RDS (Aurora), where can I change the Certificate authority?
- AWS RDS Certificate Authority update
- Update Your Amazon RDS SSL/TLS Certificates - do I need to do anything on EC2
- Update Amazon RDS SSL/TLS certificates in non ssl using client application
- Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk
- AWS, Rotating SSL/TLS certificates for RDS
- RDS Certificate Rotating
- Update AWS RDS SSL/TLS Certificate from rds-ca-2015 to rds-ca-2019
- Preparing for renewal of AWS RDS public certificate in 2020 (Postgres)
- Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019