docs.aws.amazon.com Open in urlscan Pro
18.66.147.13  Public Scan

URL: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Submission: On October 24 via manual from IN — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon RDS
 5. User Guide

Feedback
Preferences


AMAZON RELATIONAL DATABASE SERVICE


USER GUIDE

 * What is Amazon RDS?
    * DB instances
    * DB instance classes
    * DB instance storage
    * Regions, Availability Zones, and Local Zones
    * Supported Amazon RDS features by Region and engine
       * Blue/Green Deployments
       * Cross-Region automated backups
       * Cross-Region read replicas
       * Database activity streams
       * Dual-stack mode
       * Export snapshots to S3
       * IAM database authentication
       * Kerberos authentication
       * Multi-AZ DB clusters
       * Performance Insights
       * RDS Custom
       * Amazon RDS Proxy
       * Secrets Manager integration
       * Engine-native features
   
    * DB instance billing for Amazon RDS
       * On-Demand DB instances
       * Reserved DB instances

 * Setting up
 * Getting started
    * Creating and connecting to a MariaDB DB instance
    * Creating and connecting to a Microsoft SQL Server DB instance
    * Creating and connecting to a MySQL DB instance
    * Creating and connecting to an Oracle DB instance
    * Creating and connecting to a PostgreSQL DB instance
    * Tutorial: Create a web server and an Amazon RDS DB instance
       * Launch an EC2 instance
       * Create a DB instance
       * Install a web server
   
    * Tutorial: Create a Lambda function to access your Amazon RDS DB instance

 * Tutorials and sample code
 * Best practices for Amazon RDS
 * Configuring a DB instance
    * Creating a DB instance
    * Creating resources with AWS CloudFormation
    * Connecting to a DB instance
    * Working with option groups
    * Working with parameter groups
       * Overview of parameter groups
       * Working with DB parameter groups
       * Working with DB cluster parameter groups
       * Comparing parameter groups
       * Specifying DB parameters
   
    * Creating an ElastiCache cluster from Amazon RDS

 * Managing a DB instance
    * Stopping a DB instance
    * Starting a DB instance
    * Connecting an AWS compute resource
       * Connecting an EC2 instance
       * Connecting a Lambda function
   
    * Modifying a DB instance
    * Maintaining a DB instance
    * Upgrading the engine version
    * Renaming a DB instance
    * Rebooting a DB instance
    * Working with DB instance read replicas
    * Tagging RDS resources
    * Working with ARNs
    * Working with storage
    * Deleting a DB instance

 * Configuring and managing a Multi-AZ deployment
    * Multi-AZ DB instance deployments
    * Multi-AZ DB cluster deployments
       * Creating a Multi-AZ DB cluster
       * Connecting to a Multi-AZ DB cluster
       * Connecting an AWS compute resource and a Multi-AZ DB cluster
          * Connecting an EC2 instance and a Multi-AZ DB cluster
          * Connecting a Lambda function and a Multi-AZ DB cluster
      
       * Modifying a Multi-AZ DB cluster
       * Renaming a Multi-AZ DB cluster
       * Rebooting a Multi-AZ DB cluster
       * Working with Multi-AZ DB cluster read replicas
       * Using PostgreSQL logical replication with Multi-AZ DB clusters
       * Deleting a Multi-AZ DB cluster

 * Using Extended Support
 * Using Blue/Green Deployments for database updates
    * Overview of Amazon RDS Blue/Green Deployments
    * Creating a blue/green deployment
    * Viewing a blue/green deployment
    * Switching a blue/green deployment
    * Deleting a blue/green deployment

 * Backing up and restoring
    * Working with backups
    * Backing up and restoring a DB instance
       * Cross-Region automated backups
       * Creating a DB snapshot
       * Restoring from a DB snapshot
       * Copying a DB snapshot
       * Sharing a DB snapshot
       * Exporting DB snapshot data to Amazon S3
       * Restoring a DB instance to a specified time
       * Deleting a DB snapshot
       * Tutorial: Restore a DB instance from a DB snapshot
   
    * Backing up and restoring a Multi-AZ DB cluster
       * Creating a Multi-AZ DB cluster snapshot
       * Restoring from a snapshot to a Multi-AZ DB cluster
       * Restoring from a Multi-AZ DB cluster snapshot to a DB instance
       * Restoring a Multi-AZ DB cluster to a specified time

 * Monitoring metrics in a DB instance
    * Overview of monitoring
    * Viewing instance status and recommendations
    * Viewing metrics in the Amazon RDS console
    * Viewing combined metrics in the Amazon RDS console
    * Monitoring RDS with CloudWatch
       * Overview of Amazon RDS and Amazon CloudWatch
       * Viewing CloudWatch metrics
       * Creating CloudWatch alarms
       * Tutorial: Creating a CloudWatch alarm for DB cluster replica lag
   
    * Monitoring DB load with Performance Insights
       * Overview of Performance Insights
          * Database load
          * Maximum CPU
          * Amazon RDS DB engine, Region, and instance class support for
            Performance Insights
          * Pricing and data retention for Performance Insights
      
       * Turning Performance Insights on and off
       * Turning on the Performance Schema for MariaDB or MySQL
       * Performance Insights policies
       * Analyzing metrics with the Performance Insights dashboard
          * Overview of the dashboard
          * Accessing the dashboard
          * Analyzing DB load
          * Analyzing database performance for a period of time
          * Analyzing queries
             * Overview of the Top SQL tab
             * Accessing more SQL text
             * Viewing SQL statistics
         
          * Analyzing Oracle execution plans
      
       * Retrieving metrics with the Performance Insights API
       * Logging Performance Insights calls using AWS CloudTrail
   
    * Analyzing performance with DevOps Guru for RDS
    * Monitoring the OS with Enhanced Monitoring
       * Overview of Enhanced Monitoring
       * Setting up and enabling Enhanced Monitoring
       * Viewing OS metrics in the RDS console
       * Viewing OS metrics using CloudWatch Logs
   
    * RDS metrics reference
       * CloudWatch metrics for RDS
       * CloudWatch dimensions for RDS
       * CloudWatch metrics for Performance Insights
       * Counter metrics for Performance Insights
       * SQL statistics for Performance Insights
          * SQL statistics for MariaDB and MySQL
          * SQL statistics for Oracle
          * SQL statistics for SQL Server
          * SQL statistics for RDS PostgreSQL
      
       * OS metrics in Enhanced Monitoring

 * Monitoring events, logs, and database activity streams
    * Viewing logs, events, and streams in the Amazon RDS console
    * Monitoring RDS events
       * Overview of events for Amazon RDS
       * Viewing Amazon RDS events
       * Working with Amazon RDS event notification
          * Overview of Amazon RDS event notification
          * Granting permissions
          * Subscribing to Amazon RDS event notification
          * Amazon RDS event notification tags and attributes
          * Listing Amazon RDS event notification subscriptions
          * Modifying an Amazon RDS event notification subscription
          * Adding a source identifier to an Amazon RDS event notification
            subscription
          * Removing a source identifier from an Amazon RDS event notification
            subscription
          * Listing the Amazon RDS event notification categories
          * Deleting an Amazon RDS event notification subscription
      
       * Creating a rule that triggers on an Amazon RDS event
       * Amazon RDS event categories and event messages
   
    * Monitoring RDS logs
       * Viewing and listing database log files
       * Downloading a database log file
       * Watching a database log file
       * Publishing to CloudWatch Logs
       * Reading log file contents using REST
       * MariaDB database log files
       * Microsoft SQL Server database log files
       * MySQL database log files
          * Overview of RDS for MySQL database logs
          * Publishing MySQL logs to Amazon CloudWatch Logs
          * Managing table-based MySQL logs
          * Configuring MySQL binary logging
          * Accessing MySQL binary logs
      
       * Oracle database log files
       * PostgreSQL database log files
   
    * Monitoring RDS API calls in CloudTrail
    * Monitoring RDS with Database Activity Streams
       * Overview
       * Configuring Oracle unified auditing
       * Configuring SQL Server auditing
       * Starting a database activity stream
       * Modifying a database activity stream
       * Getting the activity stream status
       * Stopping a database activity stream
       * Monitoring activity streams
       * Managing access to activity streams

 * Working with Amazon RDS Custom
    * RDS Custom architecture
    * RDS Custom security
    * Working with RDS Custom for Oracle
       * RDS Custom for Oracle workflow
       * Database architecture for Amazon RDS Custom for Oracle
       * RDS Custom for Oracle requirements and limitations
       * Setting up your RDS Custom for Oracle environment
       * Working with CEVs for RDS Custom for Oracle
          * Preparing to create a CEV
          * Creating a CEV
          * Modifying CEV status
          * Viewing CEV details
          * Deleting a CEV
      
       * Configuring an RDS Custom for Oracle DB instance
       * Managing an RDS Custom for Oracle DB instance
       * Working with RDS Custom for Oracle replicas
       * Backing up and restoring an RDS Custom for Oracle DB instance
       * Migrating to RDS Custom for Oracle
       * Upgrading a DB instance for RDS Custom for Oracle
       * Troubleshooting RDS Custom for Oracle
   
    * Working with RDS Custom for SQL Server
       * RDS Custom for SQL Server workflow
       * RDS Custom for SQL Server requirements and limitations
       * Setting up your RDS Custom for SQL Server environment
       * Bring Your Own Media with RDS Custom for SQL Server
       * Working with CEVs for RDS Custom for SQL Server
          * Preparing to create a CEV for RDS Custom for SQL Server
          * Creating a CEV for RDS Custom for SQL Server
          * Modifying a CEV for RDS Custom for SQL Server
          * Viewing CEV details for Amazon RDS Custom for SQL Server
          * Deleting a CEV for RDS Custom for SQL Server
      
       * Creating and connecting to an RDS Custom for SQL Server DB instance
       * Managing an RDS Custom for SQL Server DB instance
       * Managing a Multi-AZ deployment for RDS Custom for SQL Server
       * Backing up and restoring an RDS Custom for SQL Server DB instance
       * Migrating an on-premises database to RDS Custom for SQL Server
       * Upgrading a DB instance for RDS Custom for SQL Server
       * Troubleshooting Amazon RDS Custom for SQL Server

 * Working with RDS on AWS Outposts
    * Support for Amazon RDS features
    * Supported DB instance classes
    * Customer-owned IP addresses
    * Multi-AZ deployments
    * Creating DB instances for RDS on Outposts
    * Creating read replicas for RDS on Outposts
    * Considerations for restoring DB instances

 * Using RDS Proxy
    * Planning where to use RDS Proxy
    * RDS Proxy concepts and terminology
    * Getting started with RDS Proxy
    * Managing an RDS Proxy
    * Working with RDS Proxy endpoints
    * Monitoring RDS Proxy with CloudWatch
    * Working with RDS Proxy events
    * RDS Proxy examples
    * Troubleshooting RDS Proxy
    * Using RDS Proxy with AWS CloudFormation

 * MariaDB on Amazon RDS
    * MariaDB feature support
    * MariaDB versions
    * Connecting to a DB instance running MariaDB
    * Securing MariaDB connections
       * MariaDB security
       * Encrypting with SSL/TLS
       * Using new SSL/TLS certificates
   
    * Improving query performance with RDS Optimized Reads
    * Improving write performance with RDS Optimized Writes for MariaDB
    * Upgrading the MariaDB DB engine
    * Importing data into a MariaDB DB instance
       * Importing data from an external database
       * Importing data to a DB instance with reduced downtime
       * Importing data from any source
   
    * Working with MariaDB replication
       * Working with MariaDB read replicas
       * Configuring GTID-based replication with an external source instance
       * Configuring binary log file position replication with an external
         source instance
   
    * Options for MariaDB
    * Parameters for MariaDB
    * Migrating data from a MySQL DB snapshot to a MariaDB DB instance
    * MariaDB on Amazon RDS SQL reference
       * mysql.rds_replica_status
       * mysql.rds_set_external_master_gtid
       * mysql.rds_kill_query_id
   
    * Local time zone
    * Known issues and limitations for MariaDB

 * Microsoft SQL Server on Amazon RDS
    * Licensing SQL Server on Amazon RDS
    * Connecting to a DB instance running SQL Server
    * Working with Active Directory with RDS for SQL Server
       * Working with Self Managed Active Directory with a SQL Server DB
         instance
       * Working with AWS Managed Active Directory with RDS for SQL Server
   
    * Updating applications for new SSL/TLS certificates
    * Upgrading the SQL Server DB engine
    * Importing and exporting SQL Server databases
       * Importing and exporting SQL Server data using other methods
   
    * Working with SQL Server read replicas
    * Multi-AZ for RDS for SQL Server
    * Additional features for SQL Server
       * Using SSL with a SQL Server DB instance
       * Configuring security protocols and ciphers
       * Amazon S3 integration
       * Using Database Mail
       * Instance store support for tempdb
       * Using extended events
       * Access to transaction log backups
   
    * Options for SQL Server
       * Linked Servers with Oracle OLEDB
       * Native backup and restore
       * Transparent Data Encryption
       * SQL Server Audit
       * SQL Server Analysis Services
       * SQL Server Integration Services
       * SQL Server Reporting Services
       * Microsoft Distributed Transaction Coordinator
   
    * Common DBA tasks for SQL Server
       * Accessing the tempdb database
       * Analyzing database workload with Database Engine Tuning Advisor
       * Changing the db_owner to the rdsa account for your database
       * Collations and character sets
       * Creating a database user
       * Determining a recovery model
       * Determining the last failover time
       * Disabling fast inserts
       * Dropping a SQL Server database
       * Renaming a Multi-AZ database
       * Resetting the db_owner role password
       * Restoring license-terminated DB instances
       * Transitioning a database from OFFLINE to ONLINE
       * Using CDC
       * Using SQL Server Agent
       * Working with SQL Server logs
       * Working with trace and dump files

 * MySQL on Amazon RDS
    * MySQL feature support
    * MySQL versions
    * Connecting to a DB instance running MySQL
    * Securing MySQL connections
       * MySQL security
       * Password Validation Plugin
       * Encrypting with SSL/TLS
       * Using new SSL/TLS certificates
       * Using Kerberos authentication for MySQL
   
    * Improving query performance with RDS Optimized Reads
    * Improving write performance with RDS Optimized Writes for MySQL
    * Upgrading the MySQL DB engine
    * Importing data into a MySQL DB instance
       * Restoring a backup into a MySQL DB instance
       * Importing data from an external database
       * Importing data with reduced downtime
       * Importing data from any source
   
    * Working with MySQL replication
       * Working with MySQL read replicas
       * Using GTID-based replication
       * Configuring binary log file position replication with an external
         source instance
   
    * Exporting data from a MySQL DB instance
    * Options for MySQL
       * MariaDB Audit Plugin
       * memcached
   
    * Parameters for MySQL
    * Common DBA tasks for MySQL
    * Local time zone
    * Known issues and limitations
    * RDS for MySQL stored procedures
       * Configuring
       * Ending a session or query
       * Logging
       * Managing the Global Status History
       * Replicating
       * Warming the InnoDB cache

 * Oracle on Amazon RDS
    * Oracle overview
       * Oracle features
       * Oracle versions
       * Oracle licensing
       * Oracle users and privileges
       * Oracle instance classes
       * Oracle database architecture
       * Oracle parameters
       * Oracle character sets
       * Oracle limitations
   
    * Connecting to your Oracle DB instance
       * Finding the endpoint
       * SQL developer
       * SQL*Plus
       * Security group considerations
       * Dedicated and shared server processes
       * Troubleshooting
       * Modifying Oracle sqlnet.ora parameters
   
    * Securing Oracle connections
       * Encrypting with SSL
       * Using new SSL/TLS certificates
       * Encrypting with NNE
       * Configuring Kerberos authentication
          * Setting up
          * Managing a DB instance
          * Connecting with Kerberos authentication
      
       * Configuring UTL_HTTP access
   
    * Working with CDBs
    * Administering your Oracle DB
       * System tasks
       * Database tasks
       * Log tasks
       * RMAN tasks
       * Oracle Scheduler tasks
       * Diagnostic tasks
       * Other tasks
          * Transporting tablespaces
   
    * Configuring advanced RDS for Oracle features
       * Configuring the instance store
       * Turning on HugePages
       * Turning on extended data types
   
    * Importing data into Oracle
       * Importing using Oracle SQL Developer
       * Importing using Oracle Data Pump
       * Importing using Oracle Export/Import
       * Importing using Oracle SQL*Loader
       * Migrating with Oracle materialized views
       * Migrating using Oracle transportable tablespaces
   
    * Working with Oracle replicas
       * Overview of Oracle replicas
       * Requirements and considerations for Oracle replicas
       * Preparing to create an Oracle replica
       * Creating a mounted Oracle replica
       * Modifying the replica mode
       * Working with Oracle replica backups
       * Performing an Oracle Data Guard switchover
       * Troubleshooting Oracle replicas
   
    * Options for Oracle
       * Overview of Oracle DB options
       * Amazon S3 integration
       * Application Express (APEX)
       * Amazon EFS integration
       * Java virtual machine (JVM)
       * Enterprise Manager
          * OEM Database Express
          * OEM Management Agent
      
       * Label security
       * Locator
       * Multimedia
       * Native network encryption (NNE)
       * OLAP
       * Secure Sockets Layer (SSL)
       * Spatial
       * SQLT
       * Statspack
       * Time zone
       * Time zone file autoupgrade
       * Transparent Data Encryption (TDE)
       * UTL_MAIL
       * XML DB
   
    * Upgrading the Oracle DB engine
       * Overview of Oracle upgrades
       * Major version upgrades
       * Minor version upgrades
       * Upgrade considerations
       * Testing an upgrade
       * Upgrading an Oracle DB instance
       * Upgrading an Oracle DB snapshot
   
    * Tools and third-party software for Oracle
       * Setting up
       * Using Oracle GoldenGate
       * Using the Oracle Repository Creation Utility
       * Configuring CMAN
       * Installing a Siebel database on Oracle on Amazon RDS
   
    * Oracle Database engine releases

 * PostgreSQL on Amazon RDS
    * PostgreSQL features
    * Connecting to a PostgreSQL instance
    * Securing connections with SSL/TLS
       * Using SSL with a PostgreSQL DB instance
       * Updating applications to use new SSL/TLS certificates
   
    * Using Kerberos authentication
       * Setting up
       * Managing a DB instance in a Domain
       * Connecting with Kerberos authentication
   
    * Using a custom DNS server for outbound network access
    * Upgrading the PostgreSQL DB engine
    * Upgrading a PostgreSQL DB snapshot engine version
    * Working with read replicas for RDS for PostgreSQL
    * Improving query performance with RDS Optimized Reads
    * Importing data into PostgreSQL
       * Importing a PostgreSQL database from an Amazon EC2 instance
       * Using the \copy command to import data to a table on a PostgreSQL DB
         instance
       * Importing data from Amazon S3 into RDS for PostgreSQL
       * Transporting PostgreSQL databases between DB instances
   
    * Exporting PostgreSQL data to Amazon S3
    * Invoking a Lambda function from RDS for PostgreSQL
       * Lambda function reference
   
    * Common DBA tasks for RDS for PostgreSQL
       * Collations supported in RDS for PostgreSQL
       * Understanding PostgreSQL roles and permissions
       * Working with the PostgreSQL autovacuum
       * Managing temporary files with PostgreSQL
       * Working with parameters
   
    * Tuning with wait events for RDS for PostgreSQL
       * Essential concepts for RDS for PostgreSQL tuning
       * RDS for PostgreSQL wait events
       * Client:ClientRead
       * Client:ClientWrite
       * CPU
       * IO:BufFileRead and IO:BufFileWrite
       * IO:DataFileRead
       * IO:WALWrite
       * Lock:advisory
       * Lock:extend
       * Lock:Relation
       * Lock:transactionid
       * Lock:tuple
       * LWLock:BufferMapping (LWLock:buffer_mapping)
       * LWLock:BufferIO (IPC:BufferIO)
       * LWLock:buffer_content (BufferContent)
       * LWLock:lock_manager (LWLock:lockmanager)
       * Timeout:PgSleep
       * Timeout:VacuumDelay
   
    * Tuning RDS for PostgreSQL with Amazon DevOps Guru proactive insights
       * Database has long running idle in transaction connection
   
    * Using PostgreSQL extensions
       * Managing partitions with the pg_partman extension
       * Scheduling maintenance with the pg_cron extension
       * Managing spatial data with PostGIS
   
    * Supported foreign data wrappers
    * Working with Trusted Language Extensions for PostgreSQL
       * Functions reference for Trusted Language Extensions
          * pgtle.available_extensions
          * pgtle.available_extension_versions
          * pgtle.extension_update_paths
          * pgtle.install_extension
          * pgtle.install_update_path
          * pgtle.register_feature
          * pgtle.register_feature_if_not_exists
          * pgtle.set_default_version
          * pgtle.uninstall_extension
          * pgtle.uninstall_extension
          * pgtle.uninstall_extension_if_exists
          * pgtle.uninstall_update_path
          * pgtle.uninstall_update_path_if_exists
          * pgtle.unregister_feature
          * pgtle.unregister_feature_if_exists
      
       * Hooks reference for Trusted Language Extensions
          * Password check hook (passcheck)

 * Code examples
    * Actions
       * Create a DB instance
       * Create a DB parameter group
       * Create a snapshot of a DB instance
       * Create an authentication token
       * Delete a DB instance
       * Delete a DB parameter group
       * Describe DB instances
       * Describe DB parameter groups
       * Describe database engine versions
       * Describe options for DB instances
       * Describe parameters in a DB parameter group
       * Describe snapshots of DB instances
       * Modify a DB instance
       * Reboot a DB instance
       * Retrieve attributes
       * Update parameters in a DB parameter group
   
    * Scenarios
       * Get started with DB instances
   
    * Cross-service examples
       * Create an Aurora Serverless work item tracker

 * Security
    * Database authentication
    * Password management with RDS and Secrets Manager
    * Data protection
       * Data encryption
          * Encrypting Amazon RDS resources
          * AWS KMS key management
          * Using SSL/TLS to encrypt a connection
          * Rotating your SSL/TLS certificate
      
       * Internetwork traffic privacy
   
    * Identity and access management
       * How Amazon RDS works with IAM
       * Identity-based policy examples
       * AWS managed policies
       * Policy updates
       * Cross-service confused deputy prevention
       * IAM database authentication
          * Enabling and disabling
          * Creating and using an IAM policy for IAM database access
          * Creating a database account using IAM authentication
          * Connecting to your DB instance using IAM authentication
             * Connecting using IAM: AWS CLI and mysql client
             * Connecting using IAM authentication from the command line: AWS
               CLI and psql client
             * Connecting using IAM authentication and the AWS SDK for .NET
             * Connecting using IAM authentication and the AWS SDK for Go
             * Connecting using IAM authentication and the AWS SDK for Java
             * Connecting using IAM authentication and the AWS SDK for Python
               (Boto3)
      
       * Troubleshooting
   
    * Logging and monitoring
    * Compliance validation
    * Resilience
    * Infrastructure security
    * VPC endpoints (AWS PrivateLink)
    * Security best practices
    * Controlling access with security groups
    * Master user account privileges
    * Service-linked roles
    * Using Amazon RDS with Amazon VPC
       * Working with a DB instance in a VPC
       * Updating the VPC for a DB instance
       * Scenarios for accessing a DB instance in a VPC
       * Tutorial: Create a VPC for use with a DB instance (IPv4 only)
       * Tutorial: Create a VPC for use with a DB instance (dual-stack mode)
       * Moving a DB instance into a VPC

 * Quotas and constraints
 * Troubleshooting
 * Amazon RDS API reference
    * Using the Query API
    * Troubleshooting applications

 * Document history
 * AWS glossary

Rotating your SSL/TLS certificate - Amazon Relational Database Service
AWSDocumentationAmazon RDSUser Guide
Updating your CA certificate by modifying your DB instanceUpdating your CA
certificate by applying maintenanceServer certificate rotationSample script for
importing certificates


ROTATING YOUR SSL/TLS CERTIFICATE

PDFRSS

Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in
August, 2024. If you use or plan to use Secure Sockets Layer (SSL) or Transport
Layer Security (TLS) with certificate verification to connect to your RDS DB
instances, you should consider using one of the new CA certificates
rds-ca-rsa2048-g1, rds-ca-rsa4096-g1 or rds-ca-ecc384-g1 . If you currently do
not use SSL/TLS with certificate verification, you might still have an expired
CA certificate and must update them to a new CA certificate if you plan to use
SSL/TLS with certificate verification to connect to your RDS databases.

Follow these instructions to complete your updates. Before you update your DB
instances to use the new CA certificate, make sure that you update your clients
or applications connecting to your RDS databases.

Amazon RDS provides new CA certificates as an AWS security best practice. For
information about the new certificates and the supported AWS Regions, see Using
SSL/TLS to encrypt a connection to a DB instance.

NOTE

Amazon RDS Proxy uses certificates from the AWS Certificate Manager (ACM). If
you are using RDS Proxy, when you rotate your SSL/TLS certificate, you don't
need to update applications that use RDS Proxy connections. For more information
about using TLS/SSL with RDS Proxy, see Using TLS/SSL with RDS Proxy.

NOTE

If you are using a Go version 1.15 application with a DB instance that was
created or updated to the rds-ca-2019 certificate prior to July 28, 2020, you
must update the certificate again. Update the certificate to rds-ca-rsa2048-g1,
rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 depending on your engine . Run the
modify-db-instance command shown in the AWS CLI section using the new CA
certificate identifier. You can find the CAs that are available for a specific
DB engine and DB engine version using the describe-db-engine-versions command.

If you created your DB instance or updated its certificate after July 28, 2020,
no action is required. For more information, see Go GitHub issue #39568.

TOPICS

 * Updating your CA certificate by modifying your DB instance
 * Updating your CA certificate by applying DB instance maintenance
 * Automatic server certificate rotation
 * Sample script for importing certificates into your trust store


UPDATING YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE

The following example updates your CA certificate from rds-ca-2019 to
rds-ca-rsa2048-g1. You can choose a different certificate. For more information,
see Certificate authorities.

TO UPDATE YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE

 1. Download the new SSL/TLS certificate as described in Using SSL/TLS to
    encrypt a connection to a DB instance.

 2. Update your applications to use the new SSL/TLS certificate.
    
    The methods for updating applications for new SSL/TLS certificates depend on
    your specific applications. Work with your application developers to update
    the SSL/TLS certificates for your applications.
    
    For information about checking for SSL/TLS connections and updating
    applications for each DB engine, see the following topics:
    
     * Updating applications to connect to MariaDB instances using new SSL/TLS
       certificates
    
     * Updating applications to connect to Microsoft SQL Server DB instances
       using new SSL/TLS certificates
    
     * Updating applications to connect to MySQL DB instances using new SSL/TLS
       certificates
    
     * Updating applications to connect to Oracle DB instances using new SSL/TLS
       certificates
    
     * Updating applications to connect to PostgreSQL DB instances using new
       SSL/TLS certificates
    
    For a sample script that updates a trust store for a Linux operating system,
    see Sample script for importing certificates into your trust store.
    
    NOTE
    
    The certificate bundle contains certificates for both the old and new CA, so
    you can upgrade your application safely and maintain connectivity during the
    transition period. If you are using the AWS Database Migration Service to
    migrate a database to a DB instance, we recommend using the certificate
    bundle to ensure connectivity during the migration.

 3. Modify the DB instance to change the CA from rds-ca-2019 to
    rds-ca-rsa2048-g1. To check if your database requires a restart to update
    the CA certificates, use the describe-db-engine-versions command and check
    the SupportsCertificateRotationWithoutRestart flag.
    
    IMPORTANT
    
    If you are experiencing connectivity issues after certificate expiry, use
    the apply immediately option by specifying Apply immediately in the console
    or by specifying the --apply-immediately option using the AWS CLI. By
    default, this operation is scheduled to run during your next maintenance
    window.
    
    To set an override for your instance CA that's different from the default
    RDS CA, use the modify-certificates CLI command.

You can use the AWS Management Console or the AWS CLI to change the CA
certificate from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance.

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases, and then choose the DB instance
    that you want to modify.

 3. Choose Modify.
    
    
    
    The Modify DB Instance page appears.

 4. In the Connectivity section, choose rds-ca-rsa2048-g1.
    
    

 5. Choose Continue and check the summary of modifications.

 6. To apply the changes immediately, choose Apply immediately.

 7. On the confirmation page, review your changes. If they are correct, choose
    Modify DB Instance to save your changes.
    
    IMPORTANT
    
    When you schedule this operation, make sure that you have updated your
    client-side trust store beforehand.
    
    Or choose Back to edit your changes or Cancel to cancel your changes.


CONSOLE

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases, and then choose the DB instance
    that you want to modify.

 3. Choose Modify.
    
    
    
    The Modify DB Instance page appears.

 4. In the Connectivity section, choose rds-ca-rsa2048-g1.
    
    

 5. Choose Continue and check the summary of modifications.

 6. To apply the changes immediately, choose Apply immediately.

 7. On the confirmation page, review your changes. If they are correct, choose
    Modify DB Instance to save your changes.
    
    IMPORTANT
    
    When you schedule this operation, make sure that you have updated your
    client-side trust store beforehand.
    
    Or choose Back to edit your changes or Cancel to cancel your changes.

To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a
DB instance, call the modify-db-instance command. Specify the DB instance
identifier and the --ca-certificate-identifier option.

IMPORTANT

When you schedule this operation, make sure that you have updated your
client-side trust store beforehand.

The following code modifies mydbinstance by setting the CA certificate to
rds-ca-rsa2048-g1.

IMPORTANT

Use --apply-immediately to apply the update immediately. By default, this
operation is scheduled to run during your next maintenance window.

For Linux, macOS, or Unix:

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --ca-certificate-identifier rds-ca-rsa2048-g1 

For Windows:

aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --ca-certificate-identifier rds-ca-rsa2048-g1

NOTE

If your instance requires reboot, you can use the modify-db-instance CLI command
and specify the --no-certificate-rotation-restart option.


AWS CLI

To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a
DB instance, call the modify-db-instance command. Specify the DB instance
identifier and the --ca-certificate-identifier option.

IMPORTANT

When you schedule this operation, make sure that you have updated your
client-side trust store beforehand.

The following code modifies mydbinstance by setting the CA certificate to
rds-ca-rsa2048-g1.

IMPORTANT

Use --apply-immediately to apply the update immediately. By default, this
operation is scheduled to run during your next maintenance window.

For Linux, macOS, or Unix:

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --ca-certificate-identifier rds-ca-rsa2048-g1 

For Windows:

aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --ca-certificate-identifier rds-ca-rsa2048-g1

NOTE

If your instance requires reboot, you can use the modify-db-instance CLI command
and specify the --no-certificate-rotation-restart option.


UPDATING YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE

Complete the following steps to update your CA certificate by applying DB
instance instance maintenance.

TO UPDATE YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases.
    
    In the navigation pane, there is a Certificate update option that shows the
    total number of affected DB instance.
    
    
    
    Choose Certificate update in the navigation pane.
    
    The Databases requiring certificate update page appears.
    
    
    
    NOTE
    
    This page only shows the DB instances for the current AWS Region. If you
    have DB instance in more than one AWS Region, check this page in each AWS
    Region to see all DB instances with old SSL/TLS certificates.

 3. Choose the DB instance you want to update.
    
    You can schedule the certificate rotation for your next maintenance window
    by choosing Schedule. Apply the rotation immediately by choosing Apply now.
    
    IMPORTANT
    
    If you experience connectivity issues after certificate expiry, use the
    Apply now option.

 4. 1. If you choose Schedule, you are prompted to confirm the CA certificate
       rotation. This prompt also states the scheduled window for your update.
       
       
    
    2. If you choose Apply now, you are prompted to confirm the CA certificate
       rotation.
       
       
    
    IMPORTANT
    
    Before scheduling the CA certificate rotation on your database, update any
    client applications that use SSL/TLS and the server certificate to connect.
    These updates are specific to your DB engine. After you have updated these
    client applications, you can confirm the CA certificate rotation.
    
    To continue, choose the check box, and then choose Confirm.

 5. Repeat steps 3 and 4 for each DB instance that you want to update.


AUTOMATIC SERVER CERTIFICATE ROTATION

If your CA supports automatic server certificate rotation, RDS automatically
handles the rotation of the DB server certificate. RDS uses the same root CA for
this automatic rotation, so you don't need to download a new CA bundle. See
Certificate authorities.

The rotation and validity of your DB server certificate depend on your DB
engine:

 * If your DB engine supports rotation without restart, RDS automatically
   rotates the DB server certificate without requiring any action from you. RDS
   attempts to rotate your DB server certificate in your preferred maintenance
   window at the DB server certificate half life. The new DB server certificate
   is valid for 12 months.

 * If your DB engine doesn't support rotation without restart, RDS notifies you
   about a maintenance event at least 6 months before the DB server certificate
   expires. The new DB server certificate is valid for 36 months.

Use the describe-db-engine-versions command and inspect the
SupportsCertificateRotationWithoutRestart flag to identify whether the DB engine
version supports rotating the certificate without restart. For more information,
see Setting the CA for your database.


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES INTO YOUR TRUST STORE

The following are sample shell scripts that import the certificate bundle into a
trust store.

Each sample shell script uses keytool, which is part of the Java Development Kit
(JDK). For information about installing the JDK, see JDK Installation Guide.

TOPICS

 * Sample script for importing certificates on Linux
 * Sample script for importing certificates on macOS


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON LINUX

The following is a sample shell script that imports the certificate bundle into
a trust store on a Linux operating system.


mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.jks
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias 
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
   echo " Certificate ${alias} expires in '$expiry'" 
done
                


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON MACOS

The following is a sample shell script that imports the certificate bundle into
a trust store on macOS.


mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.jks
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
split -p "-----BEGIN CERTIFICATE-----" ${mydir}/global-bundle.pem rds-ca-

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias 
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
   echo " Certificate ${alias} expires in '$expiry'" 
done
                

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Using SSL/TLS to encrypt a connection
Internetwork traffic privacy
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

Internetwork traffic privacy

PREVIOUS TOPIC:

Using SSL/TLS to encrypt a connection

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Updating your CA certificate by modifying your DB instance
 * Updating your CA certificate by applying maintenance
 * Server certificate rotation
 * Sample script for importing certificates









DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback