Amazon RDS TLS certificate change for MySQL DB servers

0

My organization has received a notification from AWS indicating that we need to update our TLS certificates for our RDS's by.... well, next August.

I've looked over the documentation in the email, and have downloaded a region certificate bundle for us-east-1, but I have some questions.

  1. The certificate bundle (which is named us-east-1-bundle.pem) has five certificates in them. Am I supposed to extract each certificate into a separate PEM file, rename them, and put them in the trust store (which is presumable /etc/ssl/certs on the client server), and if so, what do I rename them and how do I know which cert is which to properly name them?

  2. If it stays as five certs in one PEM file, do I just leave the name as us-east-1-bundle.pem and put it in the trust store (again, assuming that is /etc/ssl/certs on the client server)?

  3. Is there a specific way that it must be put in the trust store, or is just using PuTTY acceptable?

Thank you

asked 3 months ago142 views
1 Answer
0

So it sounds like your currently running the rds-ca-2019 on your MYSQL RDS Instances.

If you are using this CA and want to keep the same standard, AWS recommend that you switch to the rds-ca-rsa2048-g1 CA.

You may find your Linux instance already supports this CA but you would have to confirm that. Note, The CA is only used for Encrypted communication and sometimes identificaiton betwen client and server.

Following this link, there is a sample Linux script you can use to import the bundle into the trust store on your Linux servers. You can modify the script to only download the regional bundles if you wish. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.jks
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias 
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
   echo " Certificate ${alias} expires in '$expiry'" 
done
profile picture
EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions