- Newest
- Most votes
- Most comments
Yes, RDS will automatically update the instance certificate on or around the half life.
Amazon RDS provides the following CAs to sign the server certificate for a DB instance [1]:
- rds-ca-2019
- rds-ca-rsa2048-g1
- rds-ca-rsa4096-g1
- rds-ca-ecc384-g1
Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024.
When you use the rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 CA with a DB instance, RDS manages the server certificate on the DB instance. RDS rotates it automatically before it expires. These CA certificates are included in the regional and global certificate bundle [1].
rds-ca-2019 is the one CA will be expired recently. For RDS instance which is using it, if we don't update it with another CA, after 2024-08-22(expired). rds-ca-2019 you have upgrade it manually for those who uses TLS/SSL connetion.For rds-ca-2019 it won't automatically upgrade.
rds-ca-2019 you have upgrade it manually for those who uses TLS/SSL connetion. For rds-ca-2019 it won't automatically upgrade by AWS.
If yes, which one will be used by default? Will it cause an RDS instance reboot? - reboot depends on the engine version and you can set the default CA. As by default it will reboot the RDS instance.
To know if a reboot will happen, SupportedCACertificateIdentifiers parameter can be checked in aws rds describe-db-engine-versions command.
To know more about expiry you can run CLI : aws rds describe-certificates
aws rds describe-certificates { "Certificates": [ { "CertificateIdentifier": "rds-ca-ecc384-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:50:59+00:00", "ValidTill": "2121-05-19T18:50:59+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-ecc384-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-rsa4096-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:45:20+00:00", "ValidTill": "2121-05-19T18:45:20+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-rsa4096-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-rsa2048-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:40:34+00:00", "ValidTill": "2061-05-19T18:40:34+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-rsa2048-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-2019", "CertificateType": "CA", "ValidFrom": "2019-09-04T17:13:04+00:00", "ValidTill": "2024-08-22T17:08:50+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-2019", "CustomerOverride": false } ] } rds-ca-rsa2048-g1 : "ValidFrom": "2021-05-19T17:40:34+00:00", "ValidTill": "2061-05-19T18:40:34+00:00",
You can refer to the documentation here [1] for guidance on how to use SSL/TLS to encrypt a connection and to ensure that your client is configured correctly. To encrypt connections from a client computer to an Amazon RDS DB instance running Microsoft SQL Server, you need a certificate on your client computer. To obtain that certificate, download the certificate to your client computer. You can download a root certificate that works for all regions. You can also download a certificate bundle that contains both the old and new root certificate. In addition, you can download region-specific intermediate certificates [2]. The certificate bundle for either all regions or specific AWS regions can be found here [1].
I hope you will find this information useful. If you have any further inputs or concerns you may raise a case with AWS support as well.
References:
[1] Using SSL/TLS to encrypt a connection to a DB instance - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
[2] Using SSL with a Microsoft SQL Server DB instance - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html#SQLServer.Concepts.General.SSL.Client
I had this same question. If you use "rds-ca-rsa2048-g1", then AWS does automatically rotate the certificate before it expires. This statement is buried in this document: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
When you use the rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 CA with a database, RDS manages the server certificate on the database. RDS rotates it automatically before it expires.
My primary point of confusion was the statement in the certificate description that says it "supports" automatic rotation. "Supports" is vague and implies that it could be something that has to be enabled/disabled or otherwise managed by an AWS administrator, but apparently as the statement above makes clear, "RDS rotates it automatically before it expires."
Relevant content
- asked 7 months ago
- asked 8 months ago
- asked 5 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Unfortunately this does not answer my core question. Let's say I just successfully updated the CA on my RDS to rds-ca-rsa2048-g1 and rebooted the RDS. The RDS console now shows the new CA is active/valid and the "DB instance certificate expiration date" is exactly one year from from today. Does this mean that in one year, the certificate will be rotated out by the CA automatically and replaced with another certificate that also expires in a year? I don't see anything in the amazon documentation that describes this automatic rotation process and confirms the annual rotation of certificates.