Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024

3 minute read
Content level: Foundational

Inform RDS and Aurora users of expiring SSL/TLS Certificates

What is happening?

RDS Certificate Authority (CA) Certificates are expiring between May and October 2024 in most commercial regions. RDS used to have CAs with 5 year validity. The most recent one being the rds-ca-2019 CA. This will be one of the last rounds of campaigns for rotating the short lived CAs, as we are moving towards long-term CAs with 40 or 100 years validity. The rds-ca-2019 CA will expire on May 8, 2024 (me-south-1), August 22, 2024 (ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-south-1, ap-southeast-1, ap-southeast-2, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, sa-east-1, us-east-1, us-east-2, us-west-1, us-west-2), September 9, 2024 (cn-north-1, cn-northwest-1), October 26, 2024 (af-south-1), and October 28 (eu-south-1) depending on the region.

What do I need to do?

Before this date you will need to first add new CA certificates to the trust stores in your client applications, and then update the certificates on your databases to the latest issued version to avoid losing SSL/TLS connectivity to the existing database instances. Therefore, we recommend considering the time needed to verify your changes in a staging environment before introducing them into production.

Why does this matter?

To protect communications with database instances, a CA generates time-bound certificates that are checked by the database client software to authenticate any database instance before exchanging information. Following industry best practices, AWS renews the CA and creates new certificates on a routine basis to ensure customer connections are properly protected for years to come. Failing to update the server certificate can not only affect future secure connectivity, but also some clients that do not use SSL require a valid certificate on the instance before establishing an initial connection. Because of these types of issues we recommend even if you are not using SSL you should keep your certificate valid to avoid future issues.

How can I determine the database(s) I need to update?

Many of you have received alerts to your AWS Health Dashboard [1], along with email notices describing the affected resources in your account(s). To access more information, and download affected resources navigate to your Event Log and filter for event ‘RDS planned lifecycle event’ or click the provided Personal Health Dashboard link [2]. For more information about how to make the needed updates see our blog [3].

If you have any questions or concerns, the AWS Support Team is available on AWS re:Post and via Premium Support [4]