- 新しい順
- 投票が多い順
- コメントが多い順
Please note that rds-ca-rsa2048-g1 supports automatic server certificate rotation which means AWS take care of rotation and customers can't control this. You cannot perform manual rotation of the DB certificate. As this activity happens in maintenance window and based on the engine it needs restart. If engine needs a restart RDS notifies you about a maintenance event at least 6 months before the DB server certificate expires.
If your engine supports rotation without restart then RDS attempts to rotate your DB server certificate in your preferred maintenance window at the DB server certificate half life.
Use the "describe-db-engine-versions" command and inspect the "SupportsCertificateRotationWithoutRestart" flag to identify whether the DB engine version supports rotating the certificate without restart.
As part of security practice AWS handles certificate rotation where customer can't control over the rotation. Apologies for any in-convenience cause from our end due to the restriction of rotating certificate.
However if you want to test your application how it behaves during the certificate change (e.g., from rds-ca-rsa2048-g1 to rds-ca-rsa4096-g1), you can make a copy of your RDS instance by restoring the snapshot and then you can manually switch your DB instance to a newer CA.
When a client, such as psql or JDBC, is configured with SSL support, the client first tries to connect to the database with SSL by default. If the client can't connect with SSL, it reverts to connecting without SSL. The default sslmode mode used for both libpq-based clients (such as psql) and JDBC is set to prefer. The certificate on the server is verified only when sslrootcert is provided with sslmode set to verify-ca or verify-full. For more information please review below : [+]https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/ssl-certificate-rotation-aurora-postgresql.html#ssl-certificate-rotation-aurora-postgresql.updating-trust-store [+]https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
Regarding your query : If there is no way to initiate the automatic rotation, What changes should the application needs to do to connect to the DB, when the DB server certificate is automatically rotated ? => Please note during this automatic rotation process there will be no downtime/restart , the user experience remains unchanged when RDS automatically rotate the DB certificates so this rotation is not user visible. If your root CA supports automatic server certificate rotation, RDS automatically handles the rotation of the DB server certificate. RDS uses the same root CA for this automatic rotation, so you don't need to download a new CA bundle. [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-server-cert-rotation
For manual rotation [1], you can use the Amazon RDS console to modify the DB instance you want to rotate. You have two options for timing the rotation - either choose "Apply now" for immediate rotation or "Schedule" to perform it during your next maintenance window.
Before implementing in production, it's recommended to test the certificate rotation in a non-production environment that mirrors your production setup. You can do this by choosing "Modify" for your test DB instance in the Amazon RDS console and selecting rds-ca-rsa2048-g1 in the Connectivity section.
For application connectivity during rotation, most modern RDS engines support certificate rotation without requiring a database restart. To ensure smooth operation, applications should be configured to properly handle connection failures and implement reconnection logic using the trust store or CA certificate bundle.
Sources:
[1] Rotate Your SSL/TLS Certificates Now – Amazon RDS and Amazon Aurora Expire in 2024 | AWS News Blog https://aws.amazon.com/blogs/aws/rotate-your-ssl-tls-certificates-now-amazon-rds-and-amazon-aurora-expire-in-2024/?nc1=h_ls
Thanks for the answer. My question is on the DB server certificate automatic rotation and not on the Root CA. We wanted to check if the application needs to reconnect to the DB, when the DB server certificate is automatically rotated by the AWS and how do we test this ?
When AWS automatically rotates the DB server certificate (signed by the same root CA like rds-ca-rsa2048-g1), it happens during your DB's maintenance window, and typically involves a brief restart of the database instance or a failover in Aurora.
Here’s what happens from the application’s point of view:
Yes, active connections may be dropped during the certificate rotation.
Your application will need to reconnect to the database after the rotation completes.
If connection pooling or retries are used, the impact can be minimal, but it’s important to test this.
How to test this? You can simulate the certificate rotation manually by:
Creating a test Aurora PostgreSQL instance.
Modifying it to switch from one CA to another (e.g., rds-ca-rsa2048-g1 → rds-ca-rsa4096-g1).
Monitor the behavior of your app during the CA switch; this mimics what happens during server cert rotation.
This gives you insight into how your app handles dropped connections, reconnection logic, and SSL verification so you’re prepared when the automatic rotation happens in production.
Got it! When AWS automatically rotates the DB server certificate in Aurora PostgreSQL, the underlying instance undergoes a restart or failover as part of the rotation process. As a result, active client connections will be dropped, and your application will need to reconnect to resume operations.
This is part of the normal certificate rotation behavior that AWS performs during your defined maintenance window. It's not a silent in-place change; there is a brief service disruption.
How can you test this behavior? Although you can't force AWS to trigger an automatic server certificate rotation, you can simulate the same effect by:
Creating a test Aurora PostgreSQL instance.
Modifying the instance to change the DB server CA (e.g., from rds-ca-rsa2048-g1 to rds-ca-rsa4096-g1).
Observe your application's behavior during this CA switch; it will trigger a restart, just like automatic certificate rotation would.
This test helps validate whether your application handles:
Dropped connections gracefully
Automatic reconnections or retries
SSL certificate verification after reconnect
As long as your application is using the correct root CA in its trust store and supports reconnect logic, it should continue to work smoothly after the automatic rotation.
==================================================== Source: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
When AWS rotates the DB server certificate, it triggers a restart or failover for Aurora.
This is not a hot-swap; connections are dropped.
The server certificate is tied to the DB engine process. Replacing it requires a brief interruption.
関連するコンテンツ
- 質問済み 7年前
You can’t manually trigger the automatic rotation of the DB server certificate in Aurora PostgreSQL. AWS handles this process automatically during the DB’s maintenance window, typically when the certificate reaches its halfway point in validity.
That said, if you want to test how your application behaves during a certificate change, you can manually switch your DB instance to a newer CA (e.g., from rds-ca-rsa2048-g1 to rds-ca-rsa4096-g1). This lets you simulate the impact ahead of the automatic rotation.
As for your application, the key is to ensure it trusts the correct Amazon RDS root certificate. Most apps just need to:
Use sslmode=verify-full
Reference the proper sslrootcert in the connection string
Have the latest RDS root CA file (available from AWS)
If your app is configured this way, it should continue to work seamlessly when the server certificate is rotated by AWS.