Changing the SSL or TLS Certificate

This guide will help users update their certificate if on premise so that CAM and AWS can communicate with the source.

The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA signs the DB server certificate, which is installed on each DB instance.

Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024. If you use or plan to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with certificate verification to connect to your RDS DB instances, consider using one of the new CA certificates rds-ca-rsa2048-g1, rds-ca-rsa4096-g1 or rds-ca-ecc384-g1. If you currently do not use SSL/TLS with certificate verification, you might still have an expired CA certificate and must update them to a new CA certificate if you plan to use SSL/TLS with certificate verification to connect to your RDS databases.

Change the Certificate in Certificate Authority as such.

Open

The following list includes a brief description for each certificate:

These CA certificates are included in the regional and global certificate bundle. When you use the rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1 CA with a database, RDS manages the DB server certificate on the database. RDS rotates the DB server certificate automatically before it expires. A good general guideline is to use rds-ca-rsa2048-g1, which offers the same security as rds-ca-2019. The main difference between the CAs is the private key algorithm and lesser so, the signing algorithm.

The available CAs will depend on the DB engine and DB engine version. If you need stronger security, you can also use rds-ca-rsa4096-g1 or rds-ca-ecc384-g1 as they use stronger algorithms. However, keep in mind that not all clients or systems may support the more complex RSA 4096 or ECC 384 algorithms.