AWS RDS SSL - Does ssl server certificates different for each and every RDS instance or same?

Question

I have 2 aws accounts having their own RDS instances(not publicly accessible) with db engine as postgresql 12.5. I downloaded RDS certificate from "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem". I am using JDBC(postgresql driver) with properties ssl=true and sslrootcert="path to above certificate" to establish secure connections. My questions:

1. This certificate is same for both aws accounts which have different names, so how does it work , Does ssl hand shake verifies that client(jdbc connection) is talking to rds.amazonaws.com or the actual RDS instance which has separate name ?

2. RDS certificates are replaced every 5 years, i.e. applications also have to update the certificate every 5 years or sooner than that once new certificate is available from RDS, is this correct ?

Answer 1

The server's certificates are each different. Each server sends its own cert when you ask to establish a SSL connection to it. The thing you download is the cert for the authority which signs each of the server certs. You (Or your JDBC) use it to verify that the per-server certs are genuine.

Answer 2

Q1.

Yes, its same for all accounts. You can download it from docs here. Its about the instances as explained in the docs:

Using a server certificate provides an extra layer of security by validating that the connection is being made to an Amazon RDS DB instance.

Q2.

You can update before actual expiration few months before. Last year it happened as explained here: