Update of expired RDS SSL certificate

Question

I was notified of the requirement to update my RDS certificates by August 22, 2024.  Checking my RDS instance, I note that it has expired in the past.  I receive an info message "Your database has lost SSL/TLS connectivity. Modify your database immediately to restore secure connection."  This is a production database that has been working properly for clients since the expiry.  I am connecting via Python with psycopg2.  Is there a best practices method to proceed?  Will I potentially compromise access to the database by doing a certificate update?
Thanks!

Riku_Kobayashi · Accepted Answer

Hello.

> This is a production database that has been working properly for clients since the expiry.

I think that the fact that it is working normally even after the certificate has expired means that the application is not using the SSL certificate to connect to RDS.  
By the way, if the certificate used by RDS is "rds-ca-2019", it will expire on August 22, 2024.  
You can update the RDS certificate by following the steps in the document below.  
Please note that updating the SSL certificate may require a restart depending on the database engine version.  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

To determine whether a restart will occur, execute the command below and check the value of "SupportsCertificateRotationWithoutRestart" included in the response.  
```
aws rds describe-db-engine-versions --engine mysql --engine-version 
```

> Will I potentially compromise access to the database by doing a certificate update?

Establishing an SSL connection has the advantage of protecting your instance from spoofing attacks.  
I think whether or not to use an SSL connection depends on the security requirements of your application.

Update of expired RDS SSL certificate

Add your answer

Relevant content