AWS Security Blog

Amazon RDS Customers: Update Your SSL Certificates by March 23, 2015

If you are an Amazon RDS customer, you might have received email from AWS notifying you about rotating your SSL certificates. The SSL certificates for RDS database instances are being updated on March 23, 2015, at 20:00 UTC. The certificates are being updated as part of standard maintenance and security best practices for RDS, and action is required by all RDS customers who use SSL to connect to their database instance in order to maintain connectivity to their database instance after the update. This blog post gives you more details about the RDS announcement, explains how to tell if you are affected, and lets you know what you should do to maintain connectivity to your database instance. 

What was the announcement about rotating my SSL certificates?

As part of the standard maintenance and security best practices for RDS, the SSL certificates for RDS instances are updated every few years. The next update is scheduled to happen on March 23, 2015. As part of this effort, RDS is moving from a single global certificate authority (CA) certificate to a two-tiered model for increased security for your database instances. RDS will continue to support a global X.509 certificate, but instead of being issued from a global certificate, each database instance will be issued individual certificates that are based on regional intermediate certificates.

If your database client or application uses SSL to connect to an RDS database instance, and if by March 23, 2015, at 20:00 UTC you have not updated the SSL certificate that your client or application is using for this connection, your client or application will be unable to connect to your database instance.

How do I know if my RDS instances are affected?

If you have RDS for MySQL, PostgreSQL, or SQL Server database instances that are using SSL to connect to your database client or application, you are affected. RDS for Oracle instances use Native Network Encryption (NNE) for secure connections and are not affected. This maintenance action also does not affect customers with database instances in China (Beijing) or AWS GovCloud (US) regions.

What do I have to do to maintain connectivity?

To maintain connectivity, you need to update the SSL certificates your client or application is using to connect to RDS before March 23, 2015, at 20:00 UTC. Make this update by following these steps:

  1. Download the new SSL certificates from Using SSL to Encrypt a Connection to a DB Instance.
  2. Use the new certificates you downloaded in the previous step to update your database client or application by following the steps on the download page. This action is specific to the configuration of your client or application.
  3. Use the Modify operation for your RDS instance on the AWS Management Console (or the ModifyDBInstance API) to change the CA from rds-ca-2010 to rds-ca-2015, and then click Apply Immediately. This operation will update the SSL certificates on the RDS instance and initiate a reboot operation to have the certificates take effect. This reboot operation typically takes less than two minutes to complete. In some cases, such as when a database has a large number of tables, a reboot could take longer. Learn more.

Note that all three steps must be performed before March 23, 2015, at 20:00 UTC. If you are unable to complete all three steps by this time, your client or application may be unable to connect to your database instance using SSL.

What if I have questions or issues?

If you have questions or issues, contact AWS Support or your Technical Account Manager (TAM).

– Mandakini