Problem during update to new SSL/TLS certificates "rds-ca-2019"


As many of us we received a notification from AWS to "Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019".
I did that on several of my Aurora MySQL Databases. The update works fine. The Problem is, after the update it appears a new "pending maintenance" of type "ca-certificate-rotation" with a apply date in the year 2024.
If I make an "upgrade now" of the database, the "pending maintenance" gets executed and the SSL/TLS certificates are switched back to "rds-ca-2015".
Is this intentional?
Will this "pending maintenance" stay there until 2024 if I never do an "upgrade now"?

asked 3 years ago96 views
3 Answers
Accepted Answer

Hi THeyer, thanks for your post. This is not intentional and has been fixed. Please let us know if you're still experiencing issues.

answered 3 years ago

Hi AWS Team,

I also have a question about how to implement the Amazon RDS SSL/TLS Certificates updates in my Aurora database instance. In the notifications that Amazon sent today it states the following steps in order to implement the change:
Amazon Aws Instruction
1.Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance.
2.Update your database applications to use the new SSL/TLS certificate.
3.Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

Since I am using an Amazon Aws Aurora 5.6 database, I would like to know if in my case I have only to implement step 3. I mean in order to take effect the change I do not have to follow step 1 and step 2?

Many thanks for your help.



answered 3 years ago


you alwyas have to follow all 3 steps. I you only do step 3 you can't connect to your database anymore with SSL, because your client has an old certificate.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions