The Scale Factory
Published in

The Scale Factory

Update your RDS SSL certificates

Have you recently logged into your AWS console and seen this message in RDS?

Screenshot of on-screen alert, titled “Confirm that your Amazon RDS SSL/TLS Certificates are up to date”

The RDS team at AWS are replacing the root certificate that protects all encrypted connections to the RDS databases and clusters. The expiry date for the old root certificate is 5th March 2020 and therefore AWS ask you to apply these updates to your RDS instances before that date.

Do I need to care?

Yes. Your application needs to trust the connection to the database and that chain of trust expires on 5th March 2020. If your application is using SSL to communicate with the database and you take no action, there is a high risk of disruption and downtime to your application and database from Thursday 5th March.

How do I know if I’m using SSL?

You can check if your database is using an SSL connection to communicate with the database by running a simple SQL query. The procedure varies according to the database; here are the steps for MySQL 5.7 or above:

  1. Log into your RDS MySQL database. If the application connecting to the RDS is running on an EC2 instance you can use the mysql client to connect to RDS:
mysql --host=<your-db-instance-name>.<your-region> --port=3306 --user=<your-username> --password

Enter the password and you are greeted with the mysql prompt.

2. Check that the performance schema is enabled:

SHOW VARIABLES LIKE 'performance_schema';

If that’s the case you should see the following result:

| Variable_name | Value |
| performance_schema | ON |
1 row in set (0.00 sec)

If the value is set to OFF the performance schema is not enabled and you need to enable it by setting the performance_schema parameter to 1 in RDS instance parameter group (see here for more info on parameter groups in RDS). Note that the performance schema is not enabled by default on RDS MySQL and changing the parameter group requires a reboot of the RDS instance.

3. Run this SQL query to show the current connections to the database:

SELECT id, user, host, connection_type 
FROM performance_schema.threads pst
INNER JOIN information_schema.processlist isp
ON pst.processlist_id =;

Your output may be similar to this:

| id | user | host | connection_type |
| 8 | admin | | SSL/TLS |
| 4 | event_scheduler | localhost | NULL |
| 10 | webapp1 | | SSL/TLS |
3 rows in set (0.00 sec)

The connection type column shows if the connection to the database is done via SSL/TLS. If so, you must update the SSL certificates on the RDS before 5th March 2020. AWS’ recommended deadline is 28th February to make sure you have enough time to test that everything is working fine.

If you are using another database, check out the instructions for Maria DB, Microsoft SQL Server, Oracle, Postgres, Aurora MySQL, and Aurora Postgres.

If your database is not using SSL, I strongly recommend enabling it as exchanging data between an application and a database without SSL is a recipe for a security disaster. So you may want to update the SSL certificates anyway!

How do I update the RDS SSL certificate?

  1. Download the latest SSL/TLS certificates from here or via the command line:

2. Update the client-side trust store for your application in order to use the new certificate (the links for each database in the previous section show a few examples for Java applications). The new certificate bundle contains certificates for both the old and new Certificate Authority.

3. Use the file downloaded in step 1 to apply the change of the certificate authority via the RDS console or via the command line with one of these two commands.

To apply the change during the next database maintenance window:

aws rds modify-db-instance --db-instance-identifier <db_instance_identifier> --ca-certificate-identifier rds-ca-2019

To apply the change immediately:

aws rds modify-db-instance --db-instance-identifier <db_instance_identifier> --ca-certificate-identifier rds-ca-2019 --apply-immediately

Note that the RDS instance is rebooted when the change takes place.

I need help!

If you need some additional guidance or want to make sure you applied the right changes, The Scale Factory is here to help. Feel free to drop us a line and find out more how we can help you with AWS.


Amazon RDS customers: Update your SSL/TLS certificates by March 5, 2020




Your AWS SaaS pros. Get ahead with The Scale Factory, the only AWS partner dedicated to helping ambitious SaaS businesses like yours to grow, fast.

Recommended from Medium — Steganography: hiding messages in images

Weeknotes ep.11 — the end of one very long week

Singleton Desing pattern

July Update

CS 373 Spring 2022 — Week 11


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sandro Cirulli

Sandro Cirulli

Consultant at the Scale Factory

More from Medium

How I Setup CI/CD With Github Actions For K3s

Containers and Orchestration on AWS: Amazon EKS

Docker containers using Ansible on AWS