AWS Chief Evangelist Jeff Barr has taken to the company’s blog to remind users of Amazon’s Aurora, Relational Database Service, and DocumentDB to update their SSL/TLS certificates.
More specifically the prompt aims at customers using SSL/TLS validation when connecting to their database instances, as well as those planning to use encrypted connections in the future.
The certificate rotation is a regular part of AWS’ maintenance and security protocol, but calls for some manual steps (Aurora Serverless being the exception). In order to keep their setups intact, users first need to download and install the new CA-2019 certificate, which is also available as a bundle with the old one to help with the transition.
Once that is done, the client applications normally using the certificates have to be updated to employ the new version and the instances’ certificate authority has to be changed to a CA-2019 one. The latter can be done via the console or CLI, while RDS users are also free to use a CloudFormation template or the ModifyDBInstance API function.
The new certificate will be activated during the next instance reboot. Right now, newly created instances are still going to automatically use the old certificate. This will however change on 14 January.
Starting on 5 February, RDS will go on to install new certificates on all instances that don’t have the CA-2019 version available already and activate them during one of the instance restarts.
Certificates for RDS, Aurora, and DocumentDB expire after five years for security reasons, which is why the rotation process has to be done by 5 March 2020 – the date, the CA-2015 certificate expires on. All applications that haven’t been updated by then, won’t be able to connect to their database instances anymore.
Additional information as well as a walkthrough the certificate rotation process can be found in Barr’s blog post.