Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I update SSL/TLS certificates for Amazon RDS and Aurora databases to create secure connections?

4 minute read
0

I want to update my SSL/TLS certificates for Amazon Relational Database Service (Amazon RDS) and Amazon Aurora databases to encrypt communications between connections.

Resolution

Identify the current SSL/TLS certificate

Complete the following steps:

  1. Open the Aurora and RDS console.
  2. In the navigation pane, choose Databases, and then select your Amazon RDS or Aurora database.
  3. Under Connectivity & security, review the Security section for the certificate authority (CA) that the database uses.

Note: For the list of CAs that you can use with Amazon RDS and Aurora databases, see Certificate authorities.

Update the SSL/TLS certificate

Complete the following steps:

  1. Open the Aurora and RDS console.
  2. In the navigation pane, choose Databases, and then select your Amazon RDS or Aurora database.
  3. Choose Modify.
  4. Under Connectivity, choose Certificate authority.
  5. Under Certificate authority, choose Continue, and then review the modifications.
  6. For database engines that support certificate rotation without a reboot, choose Apply immediately.
    Note: If you don't choose Apply immediately, the changes apply during the next maintenance window.
    For database engines that require a reboot, under Scheduling of modifications, choose Apply during the next scheduled maintenance window.
  7. Choose Modify DB instance.

Enforce SSL/TLS connections

To enforce SSL/TLS connections for Amazon RDS and Aurora MySQL-Compatible Edition, complete the following steps:

  1. Create a custom parameter group or use an existing parameter group for your database instance.
    Or, create a custom cluster parameter group or use an existing cluster parameter group for your database cluster.
  2. In the custom parameter group, set the require_secure_transport parameter to ON. This parameter is dynamic, and immediately takes effect without a reboot.

After you turn on the require_secure_transport parameter, you must use CAs when you establish connections to the database instance or cluster. For more information, see Download certificate bundles for Amazon RDS.

For information about how to update applications for SSL/TLS certificates, see the following AWS Documentation:

Note: When you use the preferred SSL mode and the CA doesn't exist or isn't up to date, the connection connects without encryption. It isn't a best practice to use preferred mode.

If you can't establish an encrypted connection, then you might get the following error message:

"MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while —require_secure_transport=ON."

To resolve this issue, run the following command:

mysql -h yourEndpoint -P 3306 -u yourUserName -pYourPassword --ssl-ca=full_path_to_CA_certificate

Note: Replace the example values with your values.

Update application trust stores

After you rotate the certificate on the database instance, you must update the trust stores with the new CA.

Note: The steps to update the trust stores can vary depending the certificate.

On the Aurora and RDS console, the SSL/TLS certificate contains a Certificate authority date and a DB instance certificate expiration date. The Certificate Authority date is the expiration date of the root CA. The DB instance certificate expiration date is the expiration date of the certificate on the instance. RDS automatically handles the rotation of the DB server certificate and uses the same root CA for the rotation. You don't need to download a new CA bundle.

Related information

Encrypting Amazon RDS resources

Update the CA certificate version for your Amazon Lightsail database

Using SSL/TLS with an Amazon RDS for Db2 DB instance

Topics
Database
Tags
Aurora MySQL
Language
English
AWS OFFICIALUpdated 9 months ago
No comments

Relevant content