Update your RDS SSL certificates

Sandro Cirulli
Mar 2, 2020 · 4 min read

Have you recently logged into your AWS console and seen this message in RDS?

Screenshot of on-screen alert, titled “Confirm that your Amazon RDS SSL/TLS Certificates are up to date”

The RDS team at AWS are replacing the root certificate that protects all encrypted connections to the RDS databases and clusters. The expiry date for the old root certificate is 5th March 2020 and therefore AWS ask you to apply these updates to your RDS instances before that date.

Do I need to care?

Yes. Your application needs to trust the connection to the database and that chain of trust expires on 5th March 2020. If your application is using SSL to communicate with the database and you take no action, there is a high risk of disruption and downtime to your application and database from Thursday 5th March.

How do I know if I’m using SSL?

You can check if your database is using an SSL connection to communicate with the database by running a simple SQL query. The procedure varies according to the database; here are the steps for MySQL 5.7 or above:

  1. Log into your RDS MySQL database. If the application connecting to the RDS is running on an EC2 instance you can use the mysql client to connect to RDS:

Enter the password and you are greeted with the mysql prompt.

2. Check that the performance schema is enabled:

If that’s the case you should see the following result:

If the value is set to OFF the performance schema is not enabled and you need to enable it by setting the performance_schema parameter to 1 in RDS instance parameter group (see here for more info on parameter groups in RDS). Note that the performance schema is not enabled by default on RDS MySQL and changing the parameter group requires a reboot of the RDS instance.

3. Run this SQL query to show the current connections to the database:

Your output may be similar to this:

The connection type column shows if the connection to the database is done via SSL/TLS. If so, you must update the SSL certificates on the RDS before 5th March 2020. AWS’ recommended deadline is 28th February to make sure you have enough time to test that everything is working fine.

If you are using another database, check out the instructions for Maria DB, Microsoft SQL Server, Oracle, Postgres, Aurora MySQL, and Aurora Postgres.

If your database is not using SSL, I strongly recommend enabling it as exchanging data between an application and a database without SSL is a recipe for a security disaster. So you may want to update the SSL certificates anyway!

How do I update the RDS SSL certificate?

  1. Download the latest SSL/TLS certificates from here or via the command line:

2. Update the client-side trust store for your application in order to use the new certificate (the links for each database in the previous section show a few examples for Java applications). The new certificate bundle contains certificates for both the old and new Certificate Authority.

3. Use the file downloaded in step 1 to apply the change of the certificate authority via the RDS console or via the command line with one of these two commands.

To apply the change during the next database maintenance window:

To apply the change immediately:

Note that the RDS instance is rebooted when the change takes place.

I need help!

If you need some additional guidance or want to make sure you applied the right changes, The Scale Factory is here to help. Feel free to drop us a line and find out more how we can help you with AWS.

Reference

Amazon RDS customers: Update your SSL/TLS certificates by March 5, 2020

The Scale Factory

We empower technology teams to deliver more on the cloud

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store