By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

RDS Certificate Authority Automatic Rotation

2

With the default RDS Certificate Authority (CA) "rds-ca-2019" expiring August 22 of 2024, we recently updated some of our RDS CAs to "rds-ca-rsa2048-g1" which supports automatic certificate rotation. It just so happened that our CA updates were only a couple days ago, so the new DB instance certificate expiration dates are only a few days before the old CA expiration date of August 22, 2024. This caused some initial confusion, because at first glance it seemed like the RDS instances were still using the old certificate expiration date. Upon closer inspection, the new certificate expiration dates are exactly one year from the date of the CA changes.

I assume, but wanted to double check before we continue updating all or RDS instances, that anytime we update an RDS CA to "rds-ca-rsa2048-g1", the new instance certificates are valid for one year and will be rotated automatically every year until the specified certificate authority date (which for "rds-ca-rsa2048-g1" is sometime in 2061).

Topics
Migration & ModernizationAnalyticsDatabaseSecurity, Identity, & ComplianceInternet of Things (IoT)
Tags
Amazon Relational Database ServiceDatabaseAWS Certificate ManagerTransport Layer Security (TLS)
Language
English
GP
asked 8 months ago3698 views
3 Answers
1

Yes, RDS will automatically update the instance certificate on or around the half life.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-server-cert-rotation

profile pictureAWS
EXPERT
randyyoung
answered a month ago
0

Amazon RDS provides the following CAs to sign the server certificate for a DB instance [1]:

  • rds-ca-2019
  • rds-ca-rsa2048-g1
  • rds-ca-rsa4096-g1
  • rds-ca-ecc384-g1

Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024.

When you use the rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 CA with a DB instance, RDS manages the server certificate on the DB instance. RDS rotates it automatically before it expires. These CA certificates are included in the regional and global certificate bundle [1].

rds-ca-2019 is the one CA will be expired recently. For RDS instance which is using it, if we don't update it with another CA, after 2024-08-22(expired). rds-ca-2019 you have upgrade it manually for those who uses TLS/SSL connetion.For rds-ca-2019 it won't automatically upgrade.

rds-ca-2019 you have upgrade it manually for those who uses TLS/SSL connetion. For rds-ca-2019 it won't automatically upgrade by AWS.

If yes, which one will be used by default? Will it cause an RDS instance reboot? - reboot depends on the engine version and you can set the default CA. As by default it will reboot the RDS instance.

To know if a reboot will happen, SupportedCACertificateIdentifiers parameter can be checked in aws rds describe-db-engine-versions command.

To know more about expiry you can run CLI : aws rds describe-certificates

aws rds describe-certificates { "Certificates": [ { "CertificateIdentifier": "rds-ca-ecc384-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:50:59+00:00", "ValidTill": "2121-05-19T18:50:59+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-ecc384-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-rsa4096-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:45:20+00:00", "ValidTill": "2121-05-19T18:45:20+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-rsa4096-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-rsa2048-g1", "CertificateType": "CA", "ValidFrom": "2021-05-19T17:40:34+00:00", "ValidTill": "2061-05-19T18:40:34+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-rsa2048-g1", "CustomerOverride": false }, { "CertificateIdentifier": "rds-ca-2019", "CertificateType": "CA", "ValidFrom": "2019-09-04T17:13:04+00:00", "ValidTill": "2024-08-22T17:08:50+00:00", "CertificateArn": "arn:aws:rds:ap-south-1::cert:rds-ca-2019", "CustomerOverride": false } ] } rds-ca-rsa2048-g1 : "ValidFrom": "2021-05-19T17:40:34+00:00", "ValidTill": "2061-05-19T18:40:34+00:00",

You can refer to the documentation here [1] for guidance on how to use SSL/TLS to encrypt a connection and to ensure that your client is configured correctly. To encrypt connections from a client computer to an Amazon RDS DB instance running Microsoft SQL Server, you need a certificate on your client computer. To obtain that certificate, download the certificate to your client computer. You can download a root certificate that works for all regions. You can also download a certificate bundle that contains both the old and new root certificate. In addition, you can download region-specific intermediate certificates [2]. The certificate bundle for either all regions or specific AWS regions can be found here [1].

I hope you will find this information useful. If you have any further inputs or concerns you may raise a case with AWS support as well.

References:

[1] Using SSL/TLS to encrypt a connection to a DB instance - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html  
[2] Using SSL with a Microsoft SQL Server DB instance - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html#SQLServer.Concepts.General.SSL.Client
AWS
Vinit
answered 8 months ago
  • GP
    8 months ago

    Unfortunately this does not answer my core question. Let's say I just successfully updated the CA on my RDS to rds-ca-rsa2048-g1 and rebooted the RDS. The RDS console now shows the new CA is active/valid and the "DB instance certificate expiration date" is exactly one year from from today. Does this mean that in one year, the certificate will be rotated out by the CA automatically and replaced with another certificate that also expires in a year? I don't see anything in the amazon documentation that describes this automatic rotation process and confirms the annual rotation of certificates.

0

I had this same question. If you use "rds-ca-rsa2048-g1", then AWS does automatically rotate the certificate before it expires. This statement is buried in this document: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

When you use the rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 CA with a database, RDS manages the server certificate on the database. RDS rotates it automatically before it expires.

My primary point of confusion was the statement in the certificate description that says it "supports" automatic rotation. "Supports" is vague and implies that it could be something that has to be enabled/disabled or otherwise managed by an AWS administrator, but apparently as the statement above makes clear, "RDS rotates it automatically before it expires."

Mike
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content