By using AWS re:Post, you agree to the Terms of Use

govCloud RDS cert update

0

The current govCloud RDS use certificate rds-ca-2017, which is expiring soon. When I goes to modify database, I do not see rds-ca-2019, but rds-ca-rsa2048-g1 and rds-ca-rsa4096-g1. Should we use these two instead? When would they expired? and where do I download the cert for my application? Do I download the certificate bundle from the govCloud? Thanks.

asked 5 months ago123 views
1 Answer
0

According to the AWS GovCloud (US) User's Guide or the RDS service:

Since the AWS GovCloud (US) Regions use a unique certificate authority (CA), update your DB instances for the AWS GovCloud (US) Regions to use the Region-specific certificate identified by rds-ca-rsa4096-g1 in DescribeCertificates calls as soon as possible. The remaining instructions described in the Rotating your SSL/TLS certificate topic are the same, except for the certificate identifier.

Running the following command:

 aws rds describe-certificates --region us-gov-east-1

Produces:

{
    "Certificates": [
        {
            "CertificateIdentifier": "rds-ca-2017",
            "CertificateType": "CA",
            "Thumbprint": "12fef37925cf5758c3c2d32b4dfca31e74a5dde4",
            "ValidFrom": "2018-07-28T00:52:33+00:00",
            "ValidTill": "2022-06-01T12:00:00+00:00",
            "CertificateArn": "arn:aws-us-gov:rds:us-gov-east-1::cert:rds-ca-2017",
            "CustomerOverride": false
        },
        {
            "CertificateIdentifier": "rds-ca-rsa2048-g1",
            "CertificateType": "CA",
            "Thumbprint": "f8fdfb895f10acb081e6003666c9ec20771f589f",
            "ValidFrom": "2022-04-20T19:21:26+00:00",
            "ValidTill": "2027-04-20T20:21:26+00:00",
            "CertificateArn": "arn:aws-us-gov:rds:us-gov-east-1::cert:rds-ca-rsa2048-g1",
            "CustomerOverride": false
        },
        {
            "CertificateIdentifier": "rds-ca-rsa4096-g1",
            "CertificateType": "CA",
            "Thumbprint": "beb497e3471c0f7b230cba284179c54bdc6add97",
            "ValidFrom": "2022-01-03T20:42:15+00:00",
            "ValidTill": "2027-01-03T21:42:15+00:00",
            "CertificateArn": "arn:aws-us-gov:rds:us-gov-east-1::cert:rds-ca-rsa4096-g1",
            "CustomerOverride": false
        }
    ]
}

Links for downloading the CA bundles can be found here: Using SSL/TLS to encrypt a connection to a DB instance.

profile picture
EXPERT
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions