docs.aws.amazon.com Open in urlscan Pro
18.66.147.89  Public Scan

URL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html
Submission: On August 23 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon RDS
 5. User Guide for Aurora

Feedback
Preferences


AMAZON AURORA


USER GUIDE FOR AURORA

 * What is Aurora?
    * Aurora DB clusters
    * Aurora versions
    * Regions and Availability Zones
    * Supported Aurora features by Region and engine
       * Blue/Green Deployments
       * Aurora cluster configurations
       * Database activity streams in Aurora
       * Exporting cluster data to Amazon S3
       * Exporting snapshot data to Amazon S3
       * Aurora global databases
       * IAM database authentication in Aurora
       * Kerberos authentication with Aurora
       * Aurora machine learning
       * Performance Insights with Aurora
       * Zero-ETL integrations
       * Amazon RDS Proxy
       * Secrets Manager integration
       * Aurora Serverless v2
       * Aurora Serverless v1
       * Data API for Aurora Serverless v1
       * Zero-downtime patching (ZDP)
       * Engine-native features
   
    * Aurora connection management
    * DB instance classes
    * Aurora storage and reliability
    * Aurora security
    * High availability for Amazon Aurora
    * Replication with Aurora
    * DB instance billing for Aurora
       * On-Demand DB instances
       * Reserved DB instances

 * Setting up your environment
 * Getting started
    * Creating and connecting to an Aurora MySQL DB cluster
    * Creating and connecting to an Aurora PostgreSQL DB cluster
    * Tutorial: Create a web server and an Amazon Aurora DB cluster
       * Launch an EC2 instance
       * Create a DB cluster
       * Install a web server

 * Tutorials and sample code
 * Configuring your Aurora DB cluster
    * Creating a DB cluster
    * Creating resources with AWS CloudFormation
    * Using Aurora global databases
       * Getting started with Aurora global databases
       * Managing an Aurora global database
       * Connecting to an Aurora global database
       * Using write forwarding in an Aurora global database
       * Using switchover or failover in an Aurora global database
       * Monitoring an Aurora global database
       * Using Aurora global databases with other AWS services
       * Upgrading an Amazon Aurora global database
   
    * Connecting to a DB cluster
    * Working with parameter groups
       * Overview of parameter groups
       * Working with DB cluster parameter groups
       * Working with DB parameter groups
       * Comparing parameter groups
       * Specifying DB parameters
   
    * Migrating data to a DB cluster
    * Creating an ElastiCache cluster from Amazon RDS

 * Managing an Aurora DB cluster
    * Stopping and starting a cluster
    * Connecting an AWS compute resource
       * Connecting an EC2 instance
       * Connecting a Lambda function
   
    * Modifying an Aurora DB cluster
    * Adding Aurora Replicas
    * Managing performance and scaling
    * Cloning a volume for an Aurora DB cluster
    * Integrating with AWS services
       * Using Auto Scaling with Aurora Replicas
       * Using machine learning with Aurora
   
    * Maintaining an Aurora DB cluster
    * Rebooting an Aurora DB cluster or instance
    * Deleting Aurora clusters and instances
    * Tagging RDS resources
    * Working with ARNs
    * Aurora updates

 * Using Blue/Green Deployments for database updates
    * Overview of Amazon RDS Blue/Green Deployments
    * Creating a blue/green deployment
    * Viewing a blue/green deployment
    * Switching a blue/green deployment
    * Deleting a blue/green deployment

 * Backing up and restoring an Aurora DB cluster
    * Overview of backing up and restoring
    * Backup storage
    * Creating a DB cluster snapshot
    * Restoring from a DB cluster snapshot
    * Copying a DB cluster snapshot
    * Sharing a DB cluster snapshot
    * Exporting DB cluster data to Amazon S3
    * Exporting DB cluster snapshot data to Amazon S3
    * Point-in-time recovery
    * Deleting a DB cluster snapshot
    * Tutorial: Restore a DB cluster from a snapshot

 * Monitoring metrics in an Aurora DB cluster
    * Overview of monitoring
    * Viewing cluster status and recommendations
    * Viewing metrics in the Amazon RDS console
    * Viewing combined metrics in the Amazon RDS console
    * Monitoring Aurora with CloudWatch
       * Overview of Amazon Aurora and Amazon CloudWatch
       * Viewing CloudWatch metrics
       * Creating CloudWatch alarms
   
    * Monitoring DB load with Performance Insights
       * Overview of Performance Insights
          * Database load
          * Maximum CPU
          * Amazon Aurora DB engine, Region, and instance class support for
            Performance Insights
          * Pricing and data retention for Performance Insights
      
       * Turning Performance Insights on and off
       * Turning on the Performance Schema for Aurora MySQL
       * Performance Insights policies
       * Analyzing metrics with the Performance Insights dashboard
          * Overview of the dashboard
          * Accessing the dashboard
          * Analyzing DB load
          * Analyzing database performance for a period of time
          * Analyzing queries
             * Overview of the Top SQL tab
             * Accessing more SQL text
             * Viewing SQL statistics
      
       * Retrieving metrics with the Performance Insights API
       * Logging Performance Insights calls using AWS CloudTrail
   
    * Analyzing performance with DevOps Guru for RDS
    * Monitoring threats with GuardDuty RDS Protection
    * Monitoring the OS with Enhanced Monitoring
       * Overview of Enhanced Monitoring
       * Setting up and enabling Enhanced Monitoring
       * Viewing OS metrics in the RDS console
       * Viewing OS metrics using CloudWatch Logs
   
    * Aurora metrics reference
       * CloudWatch metrics for Aurora
       * CloudWatch dimensions for Aurora
       * Availability of Aurora metrics in the Amazon RDS console
       * CloudWatch metrics for Performance Insights
       * Counter metrics for Performance Insights
       * SQL statistics for Performance Insights
          * SQL statistics for Aurora MySQL
          * SQL statistics for Aurora PostgreSQL
      
       * OS metrics in Enhanced Monitoring

 * Monitoring events, logs, and database activity streams
    * Viewing logs, events, and streams in the Amazon RDS console
    * Monitoring Aurora events
       * Overview of events for Aurora
       * Viewing Amazon RDS events
       * Working with Amazon RDS event notification
          * Overview of Amazon RDS event notification
          * Granting permissions
          * Subscribing to Amazon RDS event notification
          * Amazon RDS event notification tags and attributes
          * Listing Amazon RDS event notification subscriptions
          * Modifying an Amazon RDS event notification subscription
          * Adding a source identifier to an Amazon RDS event notification
            subscription
          * Removing a source identifier from an Amazon RDS event notification
            subscription
          * Listing the Amazon RDS event notification categories
          * Deleting an Amazon RDS event notification subscription
      
       * Creating a rule that triggers on an Amazon Aurora event
       * Amazon RDS event categories and event messages
   
    * Monitoring Aurora logs
       * Viewing and listing database log files
       * Downloading a database log file
       * Watching a database log file
       * Publishing to CloudWatch Logs
       * Reading log file contents using REST
       * MySQL database log files
          * Overview of Aurora MySQL database logs
          * Publishing Aurora MySQL logs to Amazon CloudWatch Logs
          * Managing table-based Aurora MySQL logs
          * Configuring Aurora MySQL binary logging
          * Accessing MySQL binary logs
      
       * PostgreSQL database log files
   
    * Monitoring Aurora API calls in CloudTrail
    * Monitoring Aurora with Database Activity Streams
       * Overview
       * Aurora MySQL network prerequisites
       * Starting a database activity stream
       * Getting the activity stream status
       * Stopping a database activity stream
       * Monitoring activity streams
       * Managing access to activity streams

 * Working with Aurora MySQL
    * Overview of Aurora MySQL
       * Aurora MySQL version 3 compatible with MySQL 8.0
          * New temporary table behavior in Aurora MySQL version 3
          * Comparison of Aurora MySQL version 2 and Aurora MySQL version 3
          * Comparison of Aurora MySQL version 3 and MySQL 8.0 Community Edition
          * Upgrading to Aurora MySQL version 3
      
       * Aurora MySQL version 2 compatible with MySQL 5.7
   
    * Security with Aurora MySQL
    * Updating applications for new TLS certificates
    * Using Kerberos authentication for Aurora MySQL
       * Setting up Kerberos authentication for Aurora MySQL
       * Connecting to Aurora MySQL with Kerberos authentication
       * Managing a DB cluster in a domain
   
    * Migrating data to Aurora MySQL
       * Migrating from an external MySQL database to Aurora MySQL
       * Migrating from a MySQL DB instance to Aurora MySQL
          * Migrating an RDS for MySQL snapshot to Aurora
          * Migrating from a MySQL DB instance to Aurora MySQL using a read
            replica
   
    * Managing Aurora MySQL
       * Managing performance and scaling for Amazon Aurora MySQL
       * Backtracking a DB cluster
       * Testing Amazon Aurora MySQL using fault injection queries
       * Altering tables in Amazon Aurora using Fast DDL
       * Displaying volume status for an Aurora DB cluster
   
    * Tuning Aurora MySQL
       * Essential concepts for Aurora MySQL tuning
       * Tuning Aurora MySQL with wait events
          * cpu
          * io/aurora_redo_log_flush
          * io/aurora_respond_to_client
          * io/socket/sql/client_connection
          * io/table/sql/handler
          * synch/cond/innodb/row_lock_wait
          * synch/cond/innodb/row_lock_wait_cond
          * synch/cond/mysys/my_thread_var::suspend
          * synch/cond/sql/MDL_context::COND_wait_status
          * synch/mutex/innodb/aurora_lock_thread_slot_futex
          * synch/mutex/innodb/buf_pool_mutex
          * synch/mutex/innodb/fil_system_mutex
          * synch/mutex/innodb/trx_sys_mutex
          * synch/sxlock/innodb/hash_table_locks
      
       * Tuning Aurora MySQL with thread states
          * creating sort index
          * sending data
      
       * Tuning Aurora MySQL with Amazon DevOps Guru proactive insights
          * The InnoDB history list length increased significantly
          * Database is creating temporary tables on disk
   
    * Parallel query for Aurora MySQL
    * Advanced Auditing with Aurora MySQL
    * Replication with Aurora MySQL
       * Using local write forwarding
       * Cross-Region replication
       * Using binary log (binlog) replication
       * Using GTID-based replication
   
    * Integrating Aurora MySQL with AWS services
       * Authorizing Aurora MySQL to access AWS services
          * Setting up IAM roles to access AWS services
             * Creating an IAM policy to access Amazon S3
             * Creating an IAM policy to access Lambda
             * Creating an IAM policy to access CloudWatch Logs
             * Creating an IAM policy to access AWS KMS
             * Creating an IAM role to access AWS services
             * Associating an IAM role with a DB cluster
         
          * Enabling network communication to AWS services
      
       * Loading data from text files in Amazon S3
       * Saving data into text files in Amazon S3
       * Invoking a Lambda function from Aurora MySQL
       * Publishing Aurora MySQL logs to CloudWatch Logs
       * Using Aurora machine learning with Aurora MySQL
   
    * Aurora MySQL lab mode
    * Best practices with Amazon Aurora MySQL
    * Amazon Aurora MySQL reference
       * Configuration parameters
       * Wait events
       * Thread states
       * Isolation levels
       * Hints
       * Stored procedures
          * Configuring
          * Ending a session or query
          * Logging
          * Managing the Global Status History
          * Replicating
      
       * information_schema tables
   
    * Aurora MySQL updates
       * Version Numbers and Special Versions
       * Preparing for Aurora MySQL version 1 end of life
       * Upgrading Amazon Aurora MySQL DB clusters
          * Upgrading the minor version or patch level of an Aurora MySQL DB
            cluster
          * Upgrading the Aurora MySQL major version of a DB cluster
      
       * Database engine updates for Amazon Aurora MySQL version 3
       * Database engine updates for Amazon Aurora MySQL version 2
       * Database engine updates for Amazon Aurora MySQL version 1
       * Database engine updates for Aurora MySQL Serverless clusters
       * MySQL bugs fixed by Aurora MySQL database engine updates
       * Security vulnerabilities fixed in Amazon Aurora MySQL

 * Working with Aurora PostgreSQL
    * Security with Aurora PostgreSQL
       * Understanding PostgreSQL roles and permissions
   
    * Updating applications for new SSL/TLS certificates
    * Using Kerberos authentication
       * Setting up
       * Managing a DB cluster in a Domain
       * Connecting with Kerberos authentication
   
    * Migrating data to Aurora PostgreSQL
    * Using Babelfish for Aurora PostgreSQL
       * Babelfish limitations
       * Understanding Babelfish architecture and configuration
          * Babelfish architecture
          * DB cluster parameter group settings for Babelfish
          * Collations supported by Babelfish
             * Managing collations
             * Collation limitations and differences
         
          * Managing Babelfish error handling
      
       * Creating a Babelfish for Aurora PostgreSQL DB cluster
       * Migrating a SQL Server database to Babelfish
       * Database authentication with Babelfish for Aurora PostgreSQL
       * Connecting to a Babelfish DB cluster
          * Creating C# or JDBC client connections to Babelfish
          * Using a SQL Server client to connect to your DB cluster
          * Using a PostgreSQL client to connect to your DB cluster
      
       * Working with Babelfish
          * Getting information from the Babelfish system catalog
          * Differences between Babelfish for Aurora PostgreSQL and SQL Server
             * T-SQL differences in Babelfish
         
          * Using Babelfish features with limited implementation
          * Improving Babelfish query performance
             * Using explain plan to improve query performance
             * Using T-SQL query hints to improve Babelfish query performance
         
          * Using Aurora PostgreSQL extensions with Babelfish
          * Babelfish supports linked servers
      
       * Troubleshooting Babelfish
       * Turning off Babelfish
       * Babelfish versions
          * Identifying your version of Babelfish
          * Upgrading Babelfish to a new version
          * Using Babelfish product version parameter
      
       * Babelfish reference
          * Unsupported functionality
          * Supported functionality by Babelfish version
          * Babelfish procedure reference
   
    * Managing Aurora PostgreSQL
       * Testing Amazon Aurora PostgreSQL by using fault injection queries
       * Displaying volume status for an Aurora DB cluster
       * Specifying the RAM disk for the stats_temp_directory
       * Managing temporary files with PostgreSQL
   
    * Tuning with wait events for Aurora PostgreSQL
       * Essential concepts for Aurora PostgreSQL tuning
       * Aurora PostgreSQL wait events
       * Client:ClientRead
       * Client:ClientWrite
       * CPU
       * IO:BufFileRead and IO:BufFileWrite
       * IO:DataFileRead
       * IO:XactSync
       * ipc:damrecordtxack
       * Lock:advisory
       * Lock:extend
       * Lock:Relation
       * Lock:transactionid
       * Lock:tuple
       * LWLock:buffer_content (BufferContent)
       * LWLock:buffer_mapping
       * LWLock:BufferIO (IPC:BufferIO)
       * LWLock:lock_manager
       * LWLock:MultiXact
       * Timeout:PgSleep
   
    * Tuning Aurora PostgreSQL with Amazon DevOps Guru proactive insights
       * Database has long running idle in transaction connection
   
    * Best practices with Aurora PostgreSQL
       * Diagnosing table and index bloat
       * Improved memory management in Aurora PostgreSQL
       * Fast failover
       * Fast recovery after failover
       * Managing connection churn
       * Tuning memory parameters for Aurora PostgreSQL
       * Analyze resource usage with CloudWatch metrics
       * Using logical replication for a major version upgrade
       * Troubleshooting storage issues
   
    * Replication with Aurora PostgreSQL
       * Using logical replication
   
    * Integrating Aurora PostgreSQL with AWS services
       * Importing data from Amazon S3 into Aurora PostgreSQL
       * Exporting PostgreSQL data to Amazon S3
       * Invoking a Lambda function from Aurora PostgreSQL
          * Lambda function reference
      
       * Publishing Aurora PostgreSQL logs to CloudWatch Logs
       * Using Aurora machine learning with Aurora PostgreSQL
   
    * Managing query execution plans for Aurora PostgreSQL
       * Overview of Aurora PostgreSQL query plan management
       * Best practices for Aurora PostgreSQL query plan management
       * Understanding query plan management
       * Capturing Aurora PostgreSQL execution plans
       * Supporting table partition by Query Plan Management
       * Using Aurora PostgreSQL managed plans
       * Examining Aurora PostgreSQL query plans in the dba_plans view
       * Maintaining Aurora PostgreSQL execution plans
       * Reference
          * Parameter reference for Aurora PostgreSQL query plan management
          * Function reference for Aurora PostgreSQL query plan management
          * Reference for the apg_plan_mgmt.dba_plans view
   
    * Working with extensions and foreign data wrappers
       * Managing large objects more efficiently with the lo module
       * Managing spatial data with PostGIS
       * Managing partitions with the pg_partman extension
       * Scheduling maintenance with the pg_cron extension
       * Supported foreign data wrappers
   
    * Working with Trusted Language Extensions for PostgreSQL
       * Functions reference for Trusted Language Extensions
          * pgtle.available_extensions
          * pgtle.available_extension_versions
          * pgtle.extension_update_paths
          * pgtle.install_extension
          * pgtle.install_update_path
          * pgtle.register_feature
          * pgtle.register_feature_if_not_exists
          * pgtle.set_default_version
          * pgtle.uninstall_extension
          * pgtle.uninstall_extension
          * pgtle.uninstall_extension_if_exists
          * pgtle.uninstall_update_path
          * pgtle.uninstall_update_path_if_exists
          * pgtle.unregister_feature
          * pgtle.unregister_feature_if_exists
      
       * Hooks reference for Trusted Language Extensions
          * Password check hook (passcheck)
   
    * Aurora PostgreSQL reference
       * Collations supported in Aurora PostgreSQL
       * Aurora PostgreSQL functions reference
          * aurora_db_instance_identifier
          * aurora_ccm_status
          * aurora_global_db_instance_status
          * aurora_global_db_status
          * aurora_list_builtins
          * aurora_replica_status
          * aurora_stat_backend_waits
          * aurora_stat_dml_activity
          * aurora_stat_get_db_commit_latency
          * aurora_stat_logical_wal_cache
          * aurora_stat_memctx_usage
          * aurora_stat_reset_wal_cache
          * aurora_stat_system_waits
          * aurora_stat_wait_event
          * aurora_stat_wait_type
          * aurora_version
          * aurora_volume_logical_start_lsn
          * aurora_wait_report
      
       * Aurora PostgreSQL parameters
       * Aurora PostgreSQL wait events
   
    * Aurora PostgreSQL updates
       * Identifying versions of Amazon Aurora PostgreSQL
       * Aurora PostgreSQL releases
       * Extension versions for Aurora PostgreSQL
       * Upgrading the PostgreSQL DB engine
       * Using a long-term support (LTS) release

 * Using RDS Proxy
    * Planning where to use RDS Proxy
    * RDS Proxy concepts and terminology
    * Getting started with RDS Proxy
    * Managing an RDS Proxy
    * Working with RDS Proxy endpoints
    * Monitoring RDS Proxy with CloudWatch
    * Working with RDS Proxy events
    * RDS Proxy examples
    * Troubleshooting RDS Proxy
    * Using RDS Proxy with AWS CloudFormation
    * Using RDS Proxy with Aurora global databases

 * Working with zero-ETL integrations (preview)
    * Getting started with zero-ETL integrations
    * Creating zero-ETL integrations
    * Adding and querying data
    * Viewing and monitoring zero-ETL integrations
    * Deleting zero-ETL integrations
    * Troubleshooting zero-ETL integrations

 * Using Aurora Serverless v2
    * How Aurora Serverless v2 works
    * Requirements for Aurora Serverless v2
    * Getting started with Aurora Serverless v2
    * Creating a cluster for Aurora Serverless v2
    * Managing Aurora Serverless v2
    * Performance and scaling for Aurora Serverless v2

 * Using Aurora Serverless v1
    * How Aurora Serverless v1 works
    * Creating an Aurora Serverless v1 DB cluster
    * Restoring an Aurora Serverless v1 DB cluster
    * Modifying an Aurora Serverless v1 DB cluster
    * Scaling Aurora Serverless v1 DB cluster capacity manually
    * Viewing Aurora Serverless v1 DB clusters
    * Deleting an Aurora Serverless v1 DB cluster
    * Aurora Serverless v1 and Aurora database engine versions

 * Using the Data API
    * Logging Data API calls with AWS CloudTrail

 * Using the query editor
    * DBQMS API reference

 * Code examples
    * Actions
       * Create a DB cluster
       * Create a DB cluster parameter group
       * Create a DB cluster snapshot
       * Create a DB instance in a DB cluster
       * Delete a DB cluster
       * Delete a DB cluster parameter group
       * Delete a DB instance
       * Describe DB cluster parameter groups
       * Describe DB cluster snapshots
       * Describe DB clusters
       * Describe DB instances
       * Describe database engine versions
       * Describe options for DB instances
       * Describe parameters from a DB cluster parameter group
       * Update parameters in a DB cluster parameter group
   
    * Scenarios
       * Get started with DB clusters
   
    * Cross-service examples
       * Create a lending library REST API
       * Create an Aurora Serverless work item tracker

 * Best practices with Aurora
 * Performing an Aurora proof of concept
 * Security
    * Database authentication
    * Password management with Aurora and Secrets Manager
    * Data protection
       * Data encryption
          * Encrypting Amazon Aurora resources
          * AWS KMS key management
          * Using SSL/TLS to encrypt a connection
          * Rotating your SSL/TLS certificate
      
       * Internetwork traffic privacy
   
    * Identity and access management
       * How Amazon Aurora works with IAM
       * Identity-based policy examples
       * AWS managed policies
       * Policy updates
       * Cross-service confused deputy prevention
       * IAM database authentication
          * Enabling and disabling
          * Creating and using an IAM policy for IAM database access
          * Creating a database account using IAM authentication
          * Connecting to your DB cluster using IAM authentication
             * Connecting using IAM: AWS CLI and mysql client
             * Connecting using IAM authentication from the command line: AWS
               CLI and psql client
             * Connecting using IAM authentication and the AWS SDK for .NET
             * Connecting using IAM authentication and the AWS SDK for Go
             * Connecting using IAM authentication and the AWS SDK for Java
             * Connecting using IAM authentication and the AWS SDK for Python
               (Boto3)
      
       * Troubleshooting
   
    * Logging and monitoring
    * Compliance validation
    * Resilience
    * Infrastructure security
    * VPC endpoints (AWS PrivateLink)
    * Security best practices
    * Controlling access with security groups
    * Master user account privileges
    * Service-linked roles
    * Using Amazon Aurora with Amazon VPC
       * Working with a DB cluster in a VPC
       * Scenarios for accessing a DB cluster in a VPC
       * Tutorial: Create a VPC for use with a DB cluster (IPv4 only)
       * Tutorial: Create a VPC for use with a DB cluster (dual-stack mode)

 * Quotas and constraints
 * Troubleshooting
 * Amazon RDS API reference
    * Using the Query API
    * Troubleshooting applications

 * Document history
 * AWS glossary

Rotating your SSL/TLS certificate - Amazon Aurora
AWSDocumentationAmazon RDSUser Guide for Aurora
Updating your CA certificate by modifying your DB instanceUpdating your CA
certificate by applying maintenanceSample script for importing certificates


ROTATING YOUR SSL/TLS CERTIFICATE

PDFRSS

Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in
August, 2024. If you use or plan to use Secure Sockets Layer (SSL) or Transport
Layer Security (TLS) with certificate verification to connect to your RDS DB
instances, you should consider using one of the new CA certificates
rds-ca-rsa2048-g1, rds-ca-rsa4096-g1 or rds-ca-ecc384-g1. If you currently do
not use SSL/TLS with certificate verification, you might still have an expired
CA certificates and must update them to one of the new CA certificates if you
plan to use SSL/TLS with certificate verification to connect to your RDS
databases.

Follow these instructions to complete your updates. Before you update your DB
instances to use the new CA certificate, make sure that you update your clients
or applications connecting to your RDS databases.

Amazon RDS provides new CA certificates as an AWS security best practice. For
information about the new certificates and the supported AWS Regions, see Using
SSL/TLS to encrypt a connection to a DB cluster.

NOTE

Amazon RDS Proxy and Aurora Serverless use certificates from the AWS Certificate
Manager (ACM). If you are using RDS Proxy, when you rotate your SSL/TLS
certificate, you don't need to update applications that use RDS Proxy
connections. For more information about using TLS/SSL with RDS Proxy, see Using
TLS/SSL with RDS Proxy.

If you are Aurora Serverless, rotating your SSL/TLS certificate isn't required.
For more information about using TLS/SSL with Aurora Serverless, see Using
TLS/SSL with Aurora Serverless v1.

NOTE

If you are using a Go version 1.15 application with a DB instance that was
created or updated to the rds-ca-2019 certificate prior to July 28, 2020, you
must update the certificate again. Update the certificate to rds-ca-rsa2048-g1,
rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 depending on your engine. Run the
modify-db-instance command shown in the AWS CLI section using the new CA
certificate identifier. You can find the CAs that are available for a specific
DB engine and DB engine version using the describe-db-engine-versions command.

If you created your DB instance or updated its certificate after July 28, 2020,
no action is required. For more information, see Go GitHub issue #39568.

TOPICS

 * Updating your CA certificate by modifying your DB instance
 * Updating your CA certificate by applying DB instance maintenance
 * Sample script for importing certificates into your trust store


UPDATING YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE

Complete the following steps to update your CA certificate.

TO UPDATE YOUR CA CERTIFICATE BY MODIFYING YOUR DB INSTANCE

 1. Download the new SSL/TLS certificate as described in Using SSL/TLS to
    encrypt a connection to a DB cluster.

 2. Update your applications to use the new SSL/TLS certificate.
    
    The methods for updating applications for new SSL/TLS certificates depend on
    your specific applications. Work with your application developers to update
    the SSL/TLS certificates for your applications.
    
    For information about checking for SSL/TLS connections and updating
    applications for each DB engine, see the following topics:
    
     * Updating applications to connect to Aurora MySQL DB clusters using new
       TLS certificates
    
     * Updating applications to connect to Aurora PostgreSQL DB clusters using
       new SSL/TLS certificates
    
    For a sample script that updates a trust store for a Linux operating system,
    see Sample script for importing certificates into your trust store.
    
    NOTE
    
    The certificate bundle contains certificates for both the old and new CA, so
    you can upgrade your application safely and maintain connectivity during the
    transition period. If you are using the AWS Database Migration Service to
    migrate a database to a DB cluster, we recommend using the certificate
    bundle to ensure connectivity during the migration.

 3. Modify the DB instance to change the CA from rds-ca-2019 to
    rds-ca-rsa2048-g1.
    
    IMPORTANT
    
    By default, this operation restarts your DB instance. If you don't want to
    restart your DB instance during this operation, you can use the
    modify-db-instance CLI command and specify the
    --no-certificate-rotation-restart option.
    
    This option will not rotate the certificate until the next time the database
    restarts, either for planned or unplanned maintenance. This option is only
    recommended if you don't use SSL/TLS.
    
    If you are experiencing connectivity issues after certificate expiry, use
    the apply immediately option by specifying Apply immediately in the console
    or by specifying the --apply-immediately option using the AWS CLI. By
    default, this operation is scheduled to run during your next maintenance
    window.

You can use the AWS Management Console or the AWS CLI to change the CA
certificate from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instance.

TO CHANGE THE CA FROM RDS-CA-2019 TO RDS-CA-RSA2048-G1 FOR A DB INSTANCE

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases, and then choose the DB instance
    that you want to modify.

 3. Choose Modify.
    
    
    
    The Modify DB Instance page appears.

 4. In the Connectivity section, choose rds-ca-2019.
    
    

 5. Choose Continue and check the summary of modifications.

 6. To apply the changes immediately, choose Apply immediately.
    
    IMPORTANT
    
    Choosing this option restarts your database immediately.

 7. On the confirmation page, review your changes. If they are correct, choose
    Modify DB Instance to save your changes.
    
    IMPORTANT
    
    When you schedule this operation, make sure that you have updated your
    client-side trust store beforehand.
    
    Or choose Back to edit your changes or Cancel to cancel your changes.


CONSOLE

TO CHANGE THE CA FROM RDS-CA-2019 TO RDS-CA-RSA2048-G1 FOR A DB INSTANCE

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases, and then choose the DB instance
    that you want to modify.

 3. Choose Modify.
    
    
    
    The Modify DB Instance page appears.

 4. In the Connectivity section, choose rds-ca-2019.
    
    

 5. Choose Continue and check the summary of modifications.

 6. To apply the changes immediately, choose Apply immediately.
    
    IMPORTANT
    
    Choosing this option restarts your database immediately.

 7. On the confirmation page, review your changes. If they are correct, choose
    Modify DB Instance to save your changes.
    
    IMPORTANT
    
    When you schedule this operation, make sure that you have updated your
    client-side trust store beforehand.
    
    Or choose Back to edit your changes or Cancel to cancel your changes.

To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a
DB instance, call the modify-db-instance command. Specify the DB instance
identifier and the --ca-certificate-identifier option.

IMPORTANT

When you schedule this operation, make sure that you have updated your
client-side trust store beforehand.

EXAMPLE

The following code modifies mydbinstance by setting the CA certificate to
rds-ca-2019. The changes are applied during the next maintenance window by using
--no-apply-immediately. Use --apply-immediately to apply the changes
immediately.

IMPORTANT

By default, this operation reboots your DB instance. If you don't want to reboot
your DB instance during this operation, you can use the modify-db-instance CLI
command and specify the --no-certificate-rotation-restart option.

This option will not rotate the certificate until the next time the database
restarts, either for planned or unplanned maintenance. This option is only
recommended if you do not use SSL/TLS.

Use --apply-immediately to apply the update immediately. By default, this
operation is scheduled to run during your next maintenance window.

For Linux, macOS, or Unix:

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --ca-certificate-identifier rds-ca-rsa2048-g1 \
    --no-apply-immediately

For Windows:

aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --ca-certificate-identifier rds-ca-rsa2048-g1 ^
    --no-apply-immediately


AWS CLI

To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a
DB instance, call the modify-db-instance command. Specify the DB instance
identifier and the --ca-certificate-identifier option.

IMPORTANT

When you schedule this operation, make sure that you have updated your
client-side trust store beforehand.

EXAMPLE

The following code modifies mydbinstance by setting the CA certificate to
rds-ca-2019. The changes are applied during the next maintenance window by using
--no-apply-immediately. Use --apply-immediately to apply the changes
immediately.

IMPORTANT

By default, this operation reboots your DB instance. If you don't want to reboot
your DB instance during this operation, you can use the modify-db-instance CLI
command and specify the --no-certificate-rotation-restart option.

This option will not rotate the certificate until the next time the database
restarts, either for planned or unplanned maintenance. This option is only
recommended if you do not use SSL/TLS.

Use --apply-immediately to apply the update immediately. By default, this
operation is scheduled to run during your next maintenance window.

For Linux, macOS, or Unix:

aws rds modify-db-instance \
    --db-instance-identifier mydbinstance \
    --ca-certificate-identifier rds-ca-rsa2048-g1 \
    --no-apply-immediately

For Windows:

aws rds modify-db-instance ^
    --db-instance-identifier mydbinstance ^
    --ca-certificate-identifier rds-ca-rsa2048-g1 ^
    --no-apply-immediately


UPDATING YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE

Complete the following steps to update your CA certificate by applying DB
instance maintenance.

TO UPDATE YOUR CA CERTIFICATE BY APPLYING DB INSTANCE MAINTENANCE

 1. Download the new SSL/TLS certificate as described in Using SSL/TLS to
    encrypt a connection to a DB cluster.

 2. Update your database applications to use the new SSL/TLS certificate.
    
    The methods for updating applications for new SSL/TLS certificates depend on
    your specific applications. Work with your application developers to update
    the SSL/TLS certificates for your applications.
    
    For information about checking for SSL/TLS connections and updating
    applications for each DB engine, see the following topics:
    
     * Updating applications to connect to Aurora MySQL DB clusters using new
       TLS certificates
    
     * Updating applications to connect to Aurora PostgreSQL DB clusters using
       new SSL/TLS certificates
    
    For a sample script that updates a trust store for a Linux operating system,
    see Sample script for importing certificates into your trust store.
    
    NOTE
    
    The certificate bundle contains certificates for both the old and new CA, so
    you can upgrade your application safely and maintain connectivity during the
    transition period.

 3. Apply DB instance maintenance to change the CA from rds-ca-2019 to
    rds-ca-rsa2048-g1.
    
    IMPORTANT
    
    You can choose to apply the change immediately. By default, this operation
    is scheduled to run during your next maintenance window.

You can use the AWS Management Console to apply DB instance maintenance to
change the CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1 for multiple DB
instances.


UPDATING YOUR CA CERTIFICATE BY APPLYING MAINTENANCE TO MULTIPLE DB INSTANCES

Use the AWS Management Console to change the CA certificate for multiple DB
instances.

TO CHANGE THE CA FROM RDS-CA-2019 TO RDS-CA-RSA2048-G1 FOR MULTIPLE DB INSTANCES

 1. Sign in to the AWS Management Console and open the Amazon RDS console at
    https://console.aws.amazon.com/rds/.

 2. In the navigation pane, choose Databases.
    
    In the navigation pane, there is a Certificate update option that shows the
    total number of affected DB instances.
    
    
    
    Choose Certificate update in the navigation pane.
    
    The Update your Amazon RDS SSL/TLS certificates page appears.
    
    
    
    NOTE
    
    This page only shows the DB instances for the current AWS Region. If you
    have DB instances in more than one AWS Region, check this page in each AWS
    Region to see all DB instances with old SSL/TLS certificates.

 3. Choose the DB instance you want to update.
    
    You can schedule the certificate rotation for your next maintenance window
    by choosing Update at the next maintenance window. Apply the rotation
    immediately by choosing Update now.
    
    IMPORTANT
    
    When your CA certificate is rotated, the operation restarts your DB
    instance.
    
    If you experience connectivity issues after certificate expiry, use the
    Update now option.

 4. If you choose Update at the next maintenance window or Update now, you are
    prompted to confirm the CA certificate rotation.
    
    IMPORTANT
    
    Before scheduling the CA certificate rotation on your database, update any
    client applications that use SSL/TLS and the server certificate to connect.
    These updates are specific to your DB engine. To determine whether your
    applications use SSL/TLS and the server certificate to connect, see Step 2:
    Update Your Database Applications to Use the New SSL/TLS Certificate. After
    you have updated these client applications, you can confirm the CA
    certificate rotation.
    
    
    
    To continue, choose the check box, and then choose Confirm.

 5. Repeat steps 3 and 4 for each DB instance that you want to update.


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES INTO YOUR TRUST STORE

The following are sample shell scripts that import the certificate bundle into a
trust store.

Each sample shell script uses keytool, which is part of the Java Development Kit
(JDK). For information about installing the JDK, see JDK Installation Guide.

TOPICS

 * Sample script for importing certificates on Linux
 * Sample script for importing certificates on macOS


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON LINUX

The following is a sample shell script that imports the certificate bundle into
a trust store on a Linux operating system.


mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.jks
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias 
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
   echo " Certificate ${alias} expires in '$expiry'" 
done
                


SAMPLE SCRIPT FOR IMPORTING CERTIFICATES ON MACOS

The following is a sample shell script that imports the certificate bundle into
a trust store on macOS.


mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.jks
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
split -p "-----BEGIN CERTIFICATE-----" ${mydir}/global-bundle.pem rds-ca-

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias 
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
   echo " Certificate ${alias} expires in '$expiry'" 
done
                

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Using SSL/TLS to encrypt a connection
Internetwork traffic privacy
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

Internetwork traffic privacy

PREVIOUS TOPIC:

Using SSL/TLS to encrypt a connection

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Updating your CA certificate by modifying your DB instance
 * Updating your CA certificate by applying maintenance
 * Sample script for importing certificates





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback