By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What else do I need to do, in order to change DB CAs?

0

We just got a notification that the CA (rds-ca-2019) for our DB instances (all MySQL Community instances) expires next August. I followed the instructions for switching to rds-ca-rsa2048-g1, and as soon as I selected that from the list of available CAs, I immediately got

Before scheduling the CA certificate rotation, update client applications that connect to your database to use the new CA certificate. Not doing this will cause an interruption of connectivity between your applications and your database.

This message scares me in ways the initial CA EOL announcement does not. So what else do we need to do, in order for this to work properly, without shutting us down?

Primary access to the database is from a Beanstalk application. In addition, a very few highly trusted users (myself included) have direct access to the database, via Sequel Pro, on a secured connection.

Topics
ComputeDatabaseInternet of Things (IoT)
Tags
AWS Elastic BeanstalkDatabaseTransport Layer Security (TLS)MySQL
Language
English
hbquikcomjamesl
asked 8 months ago404 views
1 Answer
1

Hello.

Are you using SSL communication to connect to RDS from your application?
No special action is required if you are not using it.

If you are using SSL communication, you will need to update the certificate used by ElasticBeanstalk.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-mysql.html

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content