By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Update Your Amazon RDS and Amazon Aurora SSL/TLS Certificates by August 22, 2024

0

I received a long and complicated email message with the above title. I don't understand any of it.

I am not a security expert. I went in to the AWS console and created an RDS database. I got the URL to connect to it and put that into my application, and that's it. I did not create any certificates or import any special certificates into my application. I did not try to assign my own certificate to the RDS instance.

I chose RDS because I wanted to simplify database setup and maintenance.

Does this stuff about certificates apply to me? Do I really need to take some action or will Amazon just upgrade my database as needed?

My client is a Java web application using a current MySQL JDBC connector. Is this a problem?

My Java web application is hosted under Tomcat on an EC2 instance. Is this a problem, assuming I keep my EC2 instance up to date with Linux patches?

Where exactly are the certificates in question? Are they provided by Linux, by Java, by Tomcat, by the JDBC driver, or something else? If there is a certificate that I'm responsible for I certainly did not install it myself or even know it was there.

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database ServiceMySQL
Language
English
Frank
asked 7 months ago1258 views
1 Answer
0

If it's the same email that I got then the important bit is:

  1. Now through August 22, 2024 - you can update client trust store at any time, then you can update your instances server certificate to one generated by one of the new CA’s.

The steps to do this are here https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-updating

Note that it requires a restart of the RDS instance, which obviously implies a short outage window.

The other important bit of the email is that you have ten months to do this:

  1. Staring August 22, 2024 - the 2019 CA will expire. You will need to take action before August 22, 2024 to prevent connectivity failures to your existing database instances.
profile picture
EXPERT
Steve_M
answered 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • Frank
    7 months ago

    What is a 'client trust store' and where is it? Is it something I manage? I do not remember setting up anything like this.

  • Frank
    7 months ago

    What is my "instance's server certificate"? I don't know what that means or where it is. I do not remember setting up a certificate.

  • Steve_M EXPERT
    7 months ago

    I do not remember setting up a certificate

    Your database was automatically created with the - at the time - current certificate. These aren't indefinite, and this one expires in August next year.

    The purpose of the certificate is so that when your client makes a connection to the database, the database proves its identity by presenting this cert to the client. The client checks that the Certificate Authority (CA) which signed the cert is in its trusted CA bundle.

    assuming I keep my EC2 instance up to date with Linux patches

    Yes, that will keep the bundle updated with the latest trusted CAs.

    It's worth mentioning that if you are not using a secure connection (only you will know if this applies to your use case) then a certificate is never presented in the first place, so strictly-speaking you wouldn't need to do anything. Although the email from AWS does caution against this:

    Even if you do not currently use SSL for your connections, you could still be affected if your databases server certificate expires, so we still recommend updating your CA.

    The process for doing this is in the link in the answer above.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content