Steps for Databases (25) requiring certificate update to "rds-ca-rsa2048-g1"

Hi re:Post, We have a set of PostgreSQL instances that require their certificates to be updated. In looking at the update via the console process, it seems pretty straight forward but I wanted to contact re:Post and double-check/verify. Enter image description here q1) We need to / is recommended that we switch from using "rds-ca-2019" to "rds-ca-rsa2048-g1".
[ ] Is "rds-ca-rsa2048-g1" recommended for the Ohio region / us-east-2? In selecting the "Schedule Update" we see the following screen which recommends "rds-ca-rsa2048-g1" and that the db does not require a restart. Enter image description here q2) So if we click "Schedule" and the update for the certificate runs during the scheduled maintenance window on June 30th, is there anything else we need to do in order to have our CA SSL accept new connections via the update to "rds-ca-rsa2048-g1" ?
Or are we done? Thank you for your time and help! Best Regards, Donald

Topics

Database Security, Identity, & Compliance

Tags

PostgreSQL AWS Certificate Manager

Language

English

asked 15 days ago716 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Hello,

Yes, Before applying the new certificate to your DB instances, update the trust store of any clients and applications that use SSL/TLS and the server certificate for connections.

To check if the application using SSL connection, please check this documentation https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-postgresql.html#ssl-certificate-rotation-postgresql.determining-server

You can download the TLS/SSL certificates from the following link: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions

Reference:

https://aws.amazon.com/blogs/aws/rotate-your-ssl-tls-certificates-now-amazon-rds-and-amazon-aurora-expire-in-2024/

EXPERT

Sivaraman Selvam

answered 15 days ago

EXPERT

Gary Mclean

reviewed 15 days ago

DC
15 days ago
Hi Sivaraman, thank you for your quick reply and help. Regarding, "update the trust store of any clients and applications that use SSL/TLS and the server certificate for connections." beside the RDS instances, we have our application running on hundreds of apple I-phones. How would we get the downloaded "global-bundle.pem" to those devices? Thank you for your time and help! Best Regards, Donald
Gary Mclean EXPERT
15 days ago
Are you sure your iPhones have DIRECT access to the database? That would be very unsual for an application. Plus rds-ca-2019 is unlikely to be on your iphones anyway..
DC
14 days ago
Right, of course Gary. Yeah the iPhones would not direct access to the dbs. I'm new to the dev shop in my company and glad I asked here vs in a meeting! Thanks! Donald

Relevant content

RDS Certificate Update
Glenn Comiskey
asked 2 months ago
How to update RDS (CA) Certificates for MySQL
Suthakar
asked 10 months ago
Certificate Authority RDS Certificate Authority (CA) 2019 Update breaks Java Lambda database connection
slartibartfast
asked 10 months ago
Side effects of not updating RDS certificate
Accepted Answer
rePost-User-6156220
asked a month ago
How can I update database parameters in a Lightsail for MySQL or Lightsail for PostgreSQL database?
AWS OFFICIALUpdated a year ago
How do I resolve a certificate expiration error for the Let's Encrypt certificate on my EC2 instance?
AWS OFFICIALUpdated 2 years ago
What do I need to do to update my SSL/TLS certificate for an Amazon RDS DB instance or Aurora DB cluster?
AWS OFFICIALUpdated a year ago
How can I turn on SSL on my Aurora PostgreSQL-Compatible DB instance and how can I connect to my instance using SSL certificates?
AWS OFFICIALUpdated a year ago
Identify and rotate your Amazon RDS and Amazon Aurora SSL/TLS Certificates at scale
EXPERT
Yuriy Prykhodko
published 2 months ago
How to change your name for an AWS certification exam
EXPERT
kentrad
published 6 months ago