docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.13
Public Scan
URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Submission: On October 24 via manual from IN — Scanned from DE
Submission: On October 24 via manual from IN — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can click “Customize cookies” to decline performance cookies. If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To continue without accepting these cookies, click “Continue without accepting.” To make more detailed choices or learn more, click “Customize cookies.” Accept all cookiesContinue without acceptingCustomize cookies CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice. CancelSave preferences UNABLE TO SAVE COOKIE PREFERENCES We will only store essential cookies at this time, because we were unable to save your cookie preferences. If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists. Dismiss Contact Us English Create an AWS Account 1. AWS 2. ... 3. Documentation 4. Amazon RDS 5. User Guide Feedback Preferences AMAZON RELATIONAL DATABASE SERVICE USER GUIDE * What is Amazon RDS? * DB instances * DB instance classes * DB instance storage * Regions, Availability Zones, and Local Zones * Supported Amazon RDS features by Region and engine * Blue/Green Deployments * Cross-Region automated backups * Cross-Region read replicas * Database activity streams * Dual-stack mode * Export snapshots to S3 * IAM database authentication * Kerberos authentication * Multi-AZ DB clusters * Performance Insights * RDS Custom * Amazon RDS Proxy * Secrets Manager integration * Engine-native features * DB instance billing for Amazon RDS * On-Demand DB instances * Reserved DB instances * Setting up * Getting started * Creating and connecting to a MariaDB DB instance * Creating and connecting to a Microsoft SQL Server DB instance * Creating and connecting to a MySQL DB instance * Creating and connecting to an Oracle DB instance * Creating and connecting to a PostgreSQL DB instance * Tutorial: Create a web server and an Amazon RDS DB instance * Launch an EC2 instance * Create a DB instance * Install a web server * Tutorial: Create a Lambda function to access your Amazon RDS DB instance * Tutorials and sample code * Best practices for Amazon RDS * Configuring a DB instance * Creating a DB instance * Creating resources with AWS CloudFormation * Connecting to a DB instance * Working with option groups * Working with parameter groups * Overview of parameter groups * Working with DB parameter groups * Working with DB cluster parameter groups * Comparing parameter groups * Specifying DB parameters * Creating an ElastiCache cluster from Amazon RDS * Managing a DB instance * Stopping a DB instance * Starting a DB instance * Connecting an AWS compute resource * Connecting an EC2 instance * Connecting a Lambda function * Modifying a DB instance * Maintaining a DB instance * Upgrading the engine version * Renaming a DB instance * Rebooting a DB instance * Working with DB instance read replicas * Tagging RDS resources * Working with ARNs * Working with storage * Deleting a DB instance * Configuring and managing a Multi-AZ deployment * Multi-AZ DB instance deployments * Multi-AZ DB cluster deployments * Creating a Multi-AZ DB cluster * Connecting to a Multi-AZ DB cluster * Connecting an AWS compute resource and a Multi-AZ DB cluster * Connecting an EC2 instance and a Multi-AZ DB cluster * Connecting a Lambda function and a Multi-AZ DB cluster * Modifying a Multi-AZ DB cluster * Renaming a Multi-AZ DB cluster * Rebooting a Multi-AZ DB cluster * Working with Multi-AZ DB cluster read replicas * Using PostgreSQL logical replication with Multi-AZ DB clusters * Deleting a Multi-AZ DB cluster * Using Extended Support * Using Blue/Green Deployments for database updates * Overview of Amazon RDS Blue/Green Deployments * Creating a blue/green deployment * Viewing a blue/green deployment * Switching a blue/green deployment * Deleting a blue/green deployment * Backing up and restoring * Working with backups * Backing up and restoring a DB instance * Cross-Region automated backups * Creating a DB snapshot * Restoring from a DB snapshot * Copying a DB snapshot * Sharing a DB snapshot * Exporting DB snapshot data to Amazon S3 * Restoring a DB instance to a specified time * Deleting a DB snapshot * Tutorial: Restore a DB instance from a DB snapshot * Backing up and restoring a Multi-AZ DB cluster * Creating a Multi-AZ DB cluster snapshot * Restoring from a snapshot to a Multi-AZ DB cluster * Restoring from a Multi-AZ DB cluster snapshot to a DB instance * Restoring a Multi-AZ DB cluster to a specified time * Monitoring metrics in a DB instance * Overview of monitoring * Viewing instance status and recommendations * Viewing metrics in the Amazon RDS console * Viewing combined metrics in the Amazon RDS console * Monitoring RDS with CloudWatch * Overview of Amazon RDS and Amazon CloudWatch * Viewing CloudWatch metrics * Creating CloudWatch alarms * Tutorial: Creating a CloudWatch alarm for DB cluster replica lag * Monitoring DB load with Performance Insights * Overview of Performance Insights * Database load * Maximum CPU * Amazon RDS DB engine, Region, and instance class support for Performance Insights * Pricing and data retention for Performance Insights * Turning Performance Insights on and off * Turning on the Performance Schema for MariaDB or MySQL * Performance Insights policies * Analyzing metrics with the Performance Insights dashboard * Overview of the dashboard * Accessing the dashboard * Analyzing DB load * Analyzing database performance for a period of time * Analyzing queries * Overview of the Top SQL tab * Accessing more SQL text * Viewing SQL statistics * Analyzing Oracle execution plans * Retrieving metrics with the Performance Insights API * Logging Performance Insights calls using AWS CloudTrail * Analyzing performance with DevOps Guru for RDS * Monitoring the OS with Enhanced Monitoring * Overview of Enhanced Monitoring * Setting up and enabling Enhanced Monitoring * Viewing OS metrics in the RDS console * Viewing OS metrics using CloudWatch Logs * RDS metrics reference * CloudWatch metrics for RDS * CloudWatch dimensions for RDS * CloudWatch metrics for Performance Insights * Counter metrics for Performance Insights * SQL statistics for Performance Insights * SQL statistics for MariaDB and MySQL * SQL statistics for Oracle * SQL statistics for SQL Server * SQL statistics for RDS PostgreSQL * OS metrics in Enhanced Monitoring * Monitoring events, logs, and database activity streams * Viewing logs, events, and streams in the Amazon RDS console * Monitoring RDS events * Overview of events for Amazon RDS * Viewing Amazon RDS events * Working with Amazon RDS event notification * Overview of Amazon RDS event notification * Granting permissions * Subscribing to Amazon RDS event notification * Amazon RDS event notification tags and attributes * Listing Amazon RDS event notification subscriptions * Modifying an Amazon RDS event notification subscription * Adding a source identifier to an Amazon RDS event notification subscription * Removing a source identifier from an Amazon RDS event notification subscription * Listing the Amazon RDS event notification categories * Deleting an Amazon RDS event notification subscription * Creating a rule that triggers on an Amazon RDS event * Amazon RDS event categories and event messages * Monitoring RDS logs * Viewing and listing database log files * Downloading a database log file * Watching a database log file * Publishing to CloudWatch Logs * Reading log file contents using REST * MariaDB database log files * Microsoft SQL Server database log files * MySQL database log files * Overview of RDS for MySQL database logs * Publishing MySQL logs to Amazon CloudWatch Logs * Managing table-based MySQL logs * Configuring MySQL binary logging * Accessing MySQL binary logs * Oracle database log files * PostgreSQL database log files * Monitoring RDS API calls in CloudTrail * Monitoring RDS with Database Activity Streams * Overview * Configuring Oracle unified auditing * Configuring SQL Server auditing * Starting a database activity stream * Modifying a database activity stream * Getting the activity stream status * Stopping a database activity stream * Monitoring activity streams * Managing access to activity streams * Working with Amazon RDS Custom * RDS Custom architecture * RDS Custom security * Working with RDS Custom for Oracle * RDS Custom for Oracle workflow * Database architecture for Amazon RDS Custom for Oracle * RDS Custom for Oracle requirements and limitations * Setting up your RDS Custom for Oracle environment * Working with CEVs for RDS Custom for Oracle * Preparing to create a CEV * Creating a CEV * Modifying CEV status * Viewing CEV details * Deleting a CEV * Configuring an RDS Custom for Oracle DB instance * Managing an RDS Custom for Oracle DB instance * Working with RDS Custom for Oracle replicas * Backing up and restoring an RDS Custom for Oracle DB instance * Migrating to RDS Custom for Oracle * Upgrading a DB instance for RDS Custom for Oracle * Troubleshooting RDS Custom for Oracle * Working with RDS Custom for SQL Server * RDS Custom for SQL Server workflow * RDS Custom for SQL Server requirements and limitations * Setting up your RDS Custom for SQL Server environment * Bring Your Own Media with RDS Custom for SQL Server * Working with CEVs for RDS Custom for SQL Server * Preparing to create a CEV for RDS Custom for SQL Server * Creating a CEV for RDS Custom for SQL Server * Modifying a CEV for RDS Custom for SQL Server * Viewing CEV details for Amazon RDS Custom for SQL Server * Deleting a CEV for RDS Custom for SQL Server * Creating and connecting to an RDS Custom for SQL Server DB instance * Managing an RDS Custom for SQL Server DB instance * Managing a Multi-AZ deployment for RDS Custom for SQL Server * Backing up and restoring an RDS Custom for SQL Server DB instance * Migrating an on-premises database to RDS Custom for SQL Server * Upgrading a DB instance for RDS Custom for SQL Server * Troubleshooting Amazon RDS Custom for SQL Server * Working with RDS on AWS Outposts * Support for Amazon RDS features * Supported DB instance classes * Customer-owned IP addresses * Multi-AZ deployments * Creating DB instances for RDS on Outposts * Creating read replicas for RDS on Outposts * Considerations for restoring DB instances * Using RDS Proxy * Planning where to use RDS Proxy * RDS Proxy concepts and terminology * Getting started with RDS Proxy * Managing an RDS Proxy * Working with RDS Proxy endpoints * Monitoring RDS Proxy with CloudWatch * Working with RDS Proxy events * RDS Proxy examples * Troubleshooting RDS Proxy * Using RDS Proxy with AWS CloudFormation * MariaDB on Amazon RDS * MariaDB feature support * MariaDB versions * Connecting to a DB instance running MariaDB * Securing MariaDB connections * MariaDB security * Encrypting with SSL/TLS * Using new SSL/TLS certificates * Improving query performance with RDS Optimized Reads * Improving write performance with RDS Optimized Writes for MariaDB * Upgrading the MariaDB DB engine * Importing data into a MariaDB DB instance * Importing data from an external database * Importing data to a DB instance with reduced downtime * Importing data from any source * Working with MariaDB replication * Working with MariaDB read replicas * Configuring GTID-based replication with an external source instance * Configuring binary log file position replication with an external source instance * Options for MariaDB * Parameters for MariaDB * Migrating data from a MySQL DB snapshot to a MariaDB DB instance * MariaDB on Amazon RDS SQL reference * mysql.rds_replica_status * mysql.rds_set_external_master_gtid * mysql.rds_kill_query_id * Local time zone * Known issues and limitations for MariaDB * Microsoft SQL Server on Amazon RDS * Licensing SQL Server on Amazon RDS * Connecting to a DB instance running SQL Server * Working with Active Directory with RDS for SQL Server * Working with Self Managed Active Directory with a SQL Server DB instance * Working with AWS Managed Active Directory with RDS for SQL Server * Updating applications for new SSL/TLS certificates * Upgrading the SQL Server DB engine * Importing and exporting SQL Server databases * Importing and exporting SQL Server data using other methods * Working with SQL Server read replicas * Multi-AZ for RDS for SQL Server * Additional features for SQL Server * Using SSL with a SQL Server DB instance * Configuring security protocols and ciphers * Amazon S3 integration * Using Database Mail * Instance store support for tempdb * Using extended events * Access to transaction log backups * Options for SQL Server * Linked Servers with Oracle OLEDB * Native backup and restore * Transparent Data Encryption * SQL Server Audit * SQL Server Analysis Services * SQL Server Integration Services * SQL Server Reporting Services * Microsoft Distributed Transaction Coordinator * Common DBA tasks for SQL Server * Accessing the tempdb database * Analyzing database workload with Database Engine Tuning Advisor * Changing the db_owner to the rdsa account for your database * Collations and character sets * Creating a database user * Determining a recovery model * Determining the last failover time * Disabling fast inserts * Dropping a SQL Server database * Renaming a Multi-AZ database * Resetting the db_owner role password * Restoring license-terminated DB instances * Transitioning a database from OFFLINE to ONLINE * Using CDC * Using SQL Server Agent * Working with SQL Server logs * Working with trace and dump files * MySQL on Amazon RDS * MySQL feature support * MySQL versions * Connecting to a DB instance running MySQL * Securing MySQL connections * MySQL security * Password Validation Plugin * Encrypting with SSL/TLS * Using new SSL/TLS certificates * Using Kerberos authentication for MySQL * Improving query performance with RDS Optimized Reads * Improving write performance with RDS Optimized Writes for MySQL * Upgrading the MySQL DB engine * Importing data into a MySQL DB instance * Restoring a backup into a MySQL DB instance * Importing data from an external database * Importing data with reduced downtime * Importing data from any source * Working with MySQL replication * Working with MySQL read replicas * Using GTID-based replication * Configuring binary log file position replication with an external source instance * Exporting data from a MySQL DB instance * Options for MySQL * MariaDB Audit Plugin * memcached * Parameters for MySQL * Common DBA tasks for MySQL * Local time zone * Known issues and limitations * RDS for MySQL stored procedures * Configuring * Ending a session or query * Logging * Managing the Global Status History * Replicating * Warming the InnoDB cache * Oracle on Amazon RDS * Oracle overview * Oracle features * Oracle versions * Oracle licensing * Oracle users and privileges * Oracle instance classes * Oracle database architecture * Oracle parameters * Oracle character sets * Oracle limitations * Connecting to your Oracle DB instance * Finding the endpoint * SQL developer * SQL*Plus * Security group considerations * Dedicated and shared server processes * Troubleshooting * Modifying Oracle sqlnet.ora parameters * Securing Oracle connections * Encrypting with SSL * Using new SSL/TLS certificates * Encrypting with NNE * Configuring Kerberos authentication * Setting up * Managing a DB instance * Connecting with Kerberos authentication * Configuring UTL_HTTP access * Working with CDBs * Administering your Oracle DB * System tasks * Database tasks * Log tasks * RMAN tasks * Oracle Scheduler tasks * Diagnostic tasks * Other tasks * Transporting tablespaces * Configuring advanced RDS for Oracle features * Configuring the instance store * Turning on HugePages * Turning on extended data types * Importing data into Oracle * Importing using Oracle SQL Developer * Importing using Oracle Data Pump * Importing using Oracle Export/Import * Importing using Oracle SQL*Loader * Migrating with Oracle materialized views * Migrating using Oracle transportable tablespaces * Working with Oracle replicas * Overview of Oracle replicas * Requirements and considerations for Oracle replicas * Preparing to create an Oracle replica * Creating a mounted Oracle replica * Modifying the replica mode * Working with Oracle replica backups * Performing an Oracle Data Guard switchover * Troubleshooting Oracle replicas * Options for Oracle * Overview of Oracle DB options * Amazon S3 integration * Application Express (APEX) * Amazon EFS integration * Java virtual machine (JVM) * Enterprise Manager * OEM Database Express * OEM Management Agent * Label security * Locator * Multimedia * Native network encryption (NNE) * OLAP * Secure Sockets Layer (SSL) * Spatial * SQLT * Statspack * Time zone * Time zone file autoupgrade * Transparent Data Encryption (TDE) * UTL_MAIL * XML DB * Upgrading the Oracle DB engine * Overview of Oracle upgrades * Major version upgrades * Minor version upgrades * Upgrade considerations * Testing an upgrade * Upgrading an Oracle DB instance * Upgrading an Oracle DB snapshot * Tools and third-party software for Oracle * Setting up * Using Oracle GoldenGate * Using the Oracle Repository Creation Utility * Configuring CMAN * Installing a Siebel database on Oracle on Amazon RDS * Oracle Database engine releases * PostgreSQL on Amazon RDS * PostgreSQL features * Connecting to a PostgreSQL instance * Securing connections with SSL/TLS * Using SSL with a PostgreSQL DB instance * Updating applications to use new SSL/TLS certificates * Using Kerberos authentication * Setting up * Managing a DB instance in a Domain * Connecting with Kerberos authentication * Using a custom DNS server for outbound network access * Upgrading the PostgreSQL DB engine * Upgrading a PostgreSQL DB snapshot engine version * Working with read replicas for RDS for PostgreSQL * Improving query performance with RDS Optimized Reads * Importing data into PostgreSQL * Importing a PostgreSQL database from an Amazon EC2 instance * Using the \copy command to import data to a table on a PostgreSQL DB instance * Importing data from Amazon S3 into RDS for PostgreSQL * Transporting PostgreSQL databases between DB instances * Exporting PostgreSQL data to Amazon S3 * Invoking a Lambda function from RDS for PostgreSQL * Lambda function reference * Common DBA tasks for RDS for PostgreSQL * Collations supported in RDS for PostgreSQL * Understanding PostgreSQL roles and permissions * Working with the PostgreSQL autovacuum * Managing temporary files with PostgreSQL * Working with parameters * Tuning with wait events for RDS for PostgreSQL * Essential concepts for RDS for PostgreSQL tuning * RDS for PostgreSQL wait events * Client:ClientRead * Client:ClientWrite * CPU * IO:BufFileRead and IO:BufFileWrite * IO:DataFileRead * IO:WALWrite * Lock:advisory * Lock:extend * Lock:Relation * Lock:transactionid * Lock:tuple * LWLock:BufferMapping (LWLock:buffer_mapping) * LWLock:BufferIO (IPC:BufferIO) * LWLock:buffer_content (BufferContent) * LWLock:lock_manager (LWLock:lockmanager) * Timeout:PgSleep * Timeout:VacuumDelay * Tuning RDS for PostgreSQL with Amazon DevOps Guru proactive insights * Database has long running idle in transaction connection * Using PostgreSQL extensions * Managing partitions with the pg_partman extension * Scheduling maintenance with the pg_cron extension * Managing spatial data with PostGIS * Supported foreign data wrappers * Working with Trusted Language Extensions for PostgreSQL * Functions reference for Trusted Language Extensions * pgtle.available_extensions * pgtle.available_extension_versions * pgtle.extension_update_paths * pgtle.install_extension * pgtle.install_update_path * pgtle.register_feature * pgtle.register_feature_if_not_exists * pgtle.set_default_version * pgtle.uninstall_extension * pgtle.uninstall_extension * pgtle.uninstall_extension_if_exists * pgtle.uninstall_update_path * pgtle.uninstall_update_path_if_exists * pgtle.unregister_feature * pgtle.unregister_feature_if_exists * Hooks reference for Trusted Language Extensions * Password check hook (passcheck) * Code examples * Actions * Create a DB instance * Create a DB parameter group * Create a snapshot of a DB instance * Create an authentication token * Delete a DB instance * Delete a DB parameter group * Describe DB instances * Describe DB parameter groups * Describe database engine versions * Describe options for DB instances * Describe parameters in a DB parameter group * Describe snapshots of DB instances * Modify a DB instance * Reboot a DB instance * Retrieve attributes * Update parameters in a DB parameter group * Scenarios * Get started with DB instances * Cross-service examples * Create an Aurora Serverless work item tracker * Security * Database authentication * Password management with RDS and Secrets Manager * Data protection * Data encryption * Encrypting Amazon RDS resources * AWS KMS key management * Using SSL/TLS to encrypt a connection * Rotating your SSL/TLS certificate * Internetwork traffic privacy * Identity and access management * How Amazon RDS works with IAM * Identity-based policy examples * AWS managed policies * Policy updates * Cross-service confused deputy prevention * IAM database authentication * Enabling and disabling * Creating and using an IAM policy for IAM database access * Creating a database account using IAM authentication * Connecting to your DB instance using IAM authentication * Connecting using IAM: AWS CLI and mysql client * Connecting using IAM authentication from the command line: AWS CLI and psql client * Connecting using IAM authentication and the AWS SDK for .NET * Connecting using IAM authentication and the AWS SDK for Go * Connecting using IAM authentication and the AWS SDK for Java * Connecting using IAM authentication and the AWS SDK for Python (Boto3) * Troubleshooting * Logging and monitoring * Compliance validation * Resilience * Infrastructure security * VPC endpoints (AWS PrivateLink) * Security best practices * Controlling access with security groups * Master user account privileges * Service-linked roles * Using Amazon RDS with Amazon VPC * Working with a DB instance in a VPC * Updating the VPC for a DB instance * Scenarios for accessing a DB instance in a VPC * Tutorial: Create a VPC for use with a DB instance (IPv4 only) * Tutorial: Create a VPC for use with a DB instance (dual-stack mode) * Moving a DB instance into a VPC * Quotas and constraints * Troubleshooting * Amazon RDS API reference * Using the Query API * Troubleshooting applications * Document history * AWS glossary Rotating your SSL/TLS certificate - Amazon Relational Database Service AWSDocumentationAmazon RDSUser Guide Updating your CA certificate by modifying your DB instanceUpdating your CA certificate by applying maintenanceServer certificate rotationSample script for importing certificates ROTATING YOUR SSL/TLS CERTIFICATE PDFRSS Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024. If you use or plan to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with certificate verification to connect to your RDS DB instances, you should consider using one of the new CA certificates rds-ca-rsa2048-g1, rds-ca-rsa4096-g1 or rds-ca-ecc384-g1 . If you currently do not use SSL/TLS with certificate verification, you might still have an expired CA certificate and must update them to a new CA certificate if you plan to use SSL/TLS with certificate verification to connect to your RDS databases. Follow these instructions to complete your updates. Before you update your DB instances to use the new CA certificate, make sure that you update your clients or applications connecting to your RDS databases. Amazon RDS provides new CA certificates as an AWS security best practice. For information about the new certificates and the supported AWS Regions, see Using SSL/TLS to encrypt a connection to a DB instance. NOTE Amazon RDS Proxy uses certificates from the AWS Certificate Manager (ACM). If you are using RDS Proxy, when you rotate your SSL/TLS certificate, you don't need to update applications that use RDS Proxy connections. For more information about using TLS/SSL with RDS Proxy, see Using TLS/SSL with RDS Proxy. NOTE If you are using a Go version 1.15 application with a DB instance that was created or updated to the rds-ca-2019 certificate prior to July 28, 2020, you must update the certificate again. Update the certificate to rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 depending on your engine . Run the modify-db-instance command shown in the AWS CLI section using the new CA certificate identifier. You can find the CAs that are available for a specific DB engine and DB engine version using the describe-db-engine-versions command. If you created your DB instance or updated its certificate after July 28, 2020, no action is required. For more information, see Go GitHub issue #39568. TOPICS * Updating your CA certificate by modifying your DB instance * Updating your CA certificate by applying DB instance maintenance * Automatic server certificate rotation * Sample script for importing certificates into your trust store UPDATING YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE The following example updates your CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1. You can choose a different certificate. For more information, see Certificate authorities. TO UPDATE YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE 1. Download the new SSL/TLS certificate as described in Using SSL/TLS to encrypt a connection to a DB instance. 2. Update your applications to use the new SSL/TLS certificate. The methods for updating applications for new SSL/TLS certificates depend on your specific applications. Work with your application developers to update the SSL/TLS certificates for your applications. For information about checking for SSL/TLS connections and updating applications for each DB engine, see the following topics: * Updating applications to connect to MariaDB instances using new SSL/TLS certificates * Updating applications to connect to Microsoft SQL Server DB instances using new SSL/TLS certificates * Updating applications to connect to MySQL DB instances using new SSL/TLS certificates * Updating applications to connect to Oracle DB instances using new SSL/TLS certificates * Updating applications to connect to PostgreSQL DB instances using new SSL/TLS certificates For a sample script that updates a trust store for a Linux operating system, see Sample script for importing certificates into your trust store. NOTE The certificate bundle contains certificates for both the old and new CA, so you can upgrade your application safely and maintain connectivity during the transition period. If you are using the AWS Database Migration Service to migrate a database to a DB instance, we recommend using the certificate bundle to ensure connectivity during the migration. 3. Modify the DB instance to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1. To check if your database requires a restart to update the CA certificates, use the describe-db-engine-versions command and check the SupportsCertificateRotationWithoutRestart flag. IMPORTANT If you are experiencing connectivity issues after certificate expiry, use the apply immediately option by specifying Apply immediately in the console or by specifying the --apply-immediately option using the AWS CLI. By default, this operation is scheduled to run during your next maintenance window. To set an override for your instance CA that's different from the default RDS CA, use the modify-certificates CLI command. You can use the AWS Management Console or the AWS CLI to change the CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance. 1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose Databases, and then choose the DB instance that you want to modify. 3. Choose Modify. The Modify DB Instance page appears. 4. In the Connectivity section, choose rds-ca-rsa2048-g1. 5. Choose Continue and check the summary of modifications. 6. To apply the changes immediately, choose Apply immediately. 7. On the confirmation page, review your changes. If they are correct, choose Modify DB Instance to save your changes. IMPORTANT When you schedule this operation, make sure that you have updated your client-side trust store beforehand. Or choose Back to edit your changes or Cancel to cancel your changes. CONSOLE 1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose Databases, and then choose the DB instance that you want to modify. 3. Choose Modify. The Modify DB Instance page appears. 4. In the Connectivity section, choose rds-ca-rsa2048-g1. 5. Choose Continue and check the summary of modifications. 6. To apply the changes immediately, choose Apply immediately. 7. On the confirmation page, review your changes. If they are correct, choose Modify DB Instance to save your changes. IMPORTANT When you schedule this operation, make sure that you have updated your client-side trust store beforehand. Or choose Back to edit your changes or Cancel to cancel your changes. To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance, call the modify-db-instance command. Specify the DB instance identifier and the --ca-certificate-identifier option. IMPORTANT When you schedule this operation, make sure that you have updated your client-side trust store beforehand. The following code modifies mydbinstance by setting the CA certificate to rds-ca-rsa2048-g1. IMPORTANT Use --apply-immediately to apply the update immediately. By default, this operation is scheduled to run during your next maintenance window. For Linux, macOS, or Unix: aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --ca-certificate-identifier rds-ca-rsa2048-g1 For Windows: aws rds modify-db-instance ^ --db-instance-identifier mydbinstance ^ --ca-certificate-identifier rds-ca-rsa2048-g1 NOTE If your instance requires reboot, you can use the modify-db-instance CLI command and specify the --no-certificate-rotation-restart option. AWS CLI To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance, call the modify-db-instance command. Specify the DB instance identifier and the --ca-certificate-identifier option. IMPORTANT When you schedule this operation, make sure that you have updated your client-side trust store beforehand. The following code modifies mydbinstance by setting the CA certificate to rds-ca-rsa2048-g1. IMPORTANT Use --apply-immediately to apply the update immediately. By default, this operation is scheduled to run during your next maintenance window. For Linux, macOS, or Unix: aws rds modify-db-instance \ --db-instance-identifier mydbinstance \ --ca-certificate-identifier rds-ca-rsa2048-g1 For Windows: aws rds modify-db-instance ^ --db-instance-identifier mydbinstance ^ --ca-certificate-identifier rds-ca-rsa2048-g1 NOTE If your instance requires reboot, you can use the modify-db-instance CLI command and specify the --no-certificate-rotation-restart option. UPDATING YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE Complete the following steps to update your CA certificate by applying DB instance instance maintenance. TO UPDATE YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE 1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/. 2. In the navigation pane, choose Databases. In the navigation pane, there is a Certificate update option that shows the total number of affected DB instance. Choose Certificate update in the navigation pane. The Databases requiring certificate update page appears. NOTE This page only shows the DB instances for the current AWS Region. If you have DB instance in more than one AWS Region, check this page in each AWS Region to see all DB instances with old SSL/TLS certificates. 3. Choose the DB instance you want to update. You can schedule the certificate rotation for your next maintenance window by choosing Schedule. Apply the rotation immediately by choosing Apply now. IMPORTANT If you experience connectivity issues after certificate expiry, use the Apply now option. 4. 1. If you choose Schedule, you are prompted to confirm the CA certificate rotation. This prompt also states the scheduled window for your update. 2. If you choose Apply now, you are prompted to confirm the CA certificate rotation. IMPORTANT Before scheduling the CA certificate rotation on your database, update any client applications that use SSL/TLS and the server certificate to connect. These updates are specific to your DB engine. After you have updated these client applications, you can confirm the CA certificate rotation. To continue, choose the check box, and then choose Confirm. 5. Repeat steps 3 and 4 for each DB instance that you want to update. AUTOMATIC SERVER CERTIFICATE ROTATION If your CA supports automatic server certificate rotation, RDS automatically handles the rotation of the DB server certificate. RDS uses the same root CA for this automatic rotation, so you don't need to download a new CA bundle. See Certificate authorities. The rotation and validity of your DB server certificate depend on your DB engine: * If your DB engine supports rotation without restart, RDS automatically rotates the DB server certificate without requiring any action from you. RDS attempts to rotate your DB server certificate in your preferred maintenance window at the DB server certificate half life. The new DB server certificate is valid for 12 months. * If your DB engine doesn't support rotation without restart, RDS notifies you about a maintenance event at least 6 months before the DB server certificate expires. The new DB server certificate is valid for 36 months. Use the describe-db-engine-versions command and inspect the SupportsCertificateRotationWithoutRestart flag to identify whether the DB engine version supports rotating the certificate without restart. For more information, see Setting the CA for your database. SAMPLE SCRIPT FOR IMPORTING CERTIFICATES INTO YOUR TRUST STORE The following are sample shell scripts that import the certificate bundle into a trust store. Each sample shell script uses keytool, which is part of the Java Development Kit (JDK). For information about installing the JDK, see JDK Installation Guide. TOPICS * Sample script for importing certificates on Linux * Sample script for importing certificates on macOS SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON LINUX The following is a sample shell script that imports the certificate bundle into a trust store on a Linux operating system. mydir=tmp/certs if [ ! -e "${mydir}" ] then mkdir -p "${mydir}" fi truststore=${mydir}/rds-truststore.jks storepassword=changeit curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem for CERT in rds-ca-*; do alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print') echo "Importing $alias" keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt rm $CERT done rm ${mydir}/global-bundle.pem echo "Trust store content is: " keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias do expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'` echo " Certificate ${alias} expires in '$expiry'" done SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON MACOS The following is a sample shell script that imports the certificate bundle into a trust store on macOS. mydir=tmp/certs if [ ! -e "${mydir}" ] then mkdir -p "${mydir}" fi truststore=${mydir}/rds-truststore.jks storepassword=changeit curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem split -p "-----BEGIN CERTIFICATE-----" ${mydir}/global-bundle.pem rds-ca- for CERT in rds-ca-*; do alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print') echo "Importing $alias" keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt rm $CERT done rm ${mydir}/global-bundle.pem echo "Trust store content is: " keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias do expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'` echo " Certificate ${alias} expires in '$expiry'" done Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions Using SSL/TLS to encrypt a connection Internetwork traffic privacy Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. DID THIS PAGE HELP YOU? Yes No Provide feedback NEXT TOPIC: Internetwork traffic privacy PREVIOUS TOPIC: Using SSL/TLS to encrypt a connection NEED HELP? * Try AWS re:Post * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. ON THIS PAGE * Updating your CA certificate by modifying your DB instance * Updating your CA certificate by applying maintenance * Server certificate rotation * Sample script for importing certificates DID THIS PAGE HELP YOU? - NO Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Feedback