Rotate Your TLS-SSL Certificate on RDS-Aurora Before February

Amazon provides CA certificate for connecting to RDS instance using SSL/TLS. This certificate gets rotated frequently as part of ongoing maintenance and best practices. The current RDS/Aurora certificate expires on March 05, 2020.

 
You must follow the steps below before the current certificate expires. The recommended date is February 05, 2020 for the certificate rotation. If these steps are not performed by then, RDS will automatically rotate CA certificate after this date, but you still need to restart RDS instances/Aurora cluster to use this new certificate.

Source material for this guide can be found here. If you are a database administrator on AWS, cloud/application/security architect you’ll want to follow the steps outlined below.

Prerequisites:

Search your code repository and connection string to validate which client pem version is being used.

Possible Client CA certificates include:

•          rds-ca-2015-root.pem
•          rds-ca-2019-root.pem
•          rds-combined-ca-bundle.pem

 
Search your code repo using *.pem. If you find client pem, make sure that client pem version is compatible with server version.

If rds-combined-ca-bundle.pem is used, you can avoid or reduce outage when compared to using specific root cert or intermediate cert. The certificate bundle contains certificates for both the old and new CA, so you can upgrade your application safely and maintain connectivity during the transition period. If you are using any other intermediate certificates, it is strongly recommended that you upgrade your client certificates to rds-combined-ca-bundle.pem.

Step 1: Validate current version of CA certificate authority

Validate “Certificate authority version” for given individual instance using AWS CLI or AWS console.

Node with rds-ca-2015 (using CLI method):

aws rds describe-db-instances –db-instance-identifier  <instance_name> | grep CACertificateIdentifier

“CACertificateIdentifier”: “rds-ca-2015”,

Node with rds-ca-2019 (using CLI method):

aws rds describe-db-instances –db-instance-identifier  <instance_name> | grep CACertificateIdentifier

“CACertificateIdentifier”: “rds-ca-2019”,

If current version of CA certificate is rds-ca-2015 version, it must be upgraded to rds-ca-2019 version before March 05, 2020.

Step 2: SSL/TLS rotation in reader instances

RDS Instance will reboot as part of TLS/SSL cert rotation. Perform cert upgrade in reader instance first. If your cluster is with multiple reader nodes, take one reader node at time using below steps:

In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.

Choose Modify. The Modify DB Instance page appears. In the Network & Security section, choose rds-ca-2019.

Choose Continue and check the summary of modifications. To apply the changes immediately, choose Apply immediately. Choosing this option causes an outage/reboot of this specific instance. Click on modify db instance.

It takes around one minute on average for RDS instance to reboot. Watch for reader traffic and other statistics on this reader instance using various monitoring tools you normally use. Wait for traffic to be fully balanced between all reader instances. Follow the same steps for all reader instances.

Validate “Certificate authority version” for given individual instance using AWS CLI or AWS console. It should show rds-ca-2019 version.

aws rds describe-db-instances –db-instance-identifier  <instance_name> | grep CACertificateIdentifier

“CACertificateIdentifier”: “rds-ca-2019”,

Step 3: Perform failover and select new writer

Once all readers are upgraded with rds-ca-2019, perform cluster failover. to perform failover, go to action choose Failover.

This will choose a new writer instance and the old writer instance will become reader.

Watch for writer traffic and other statistics on the new writer instance using various monitoring tools you normally use.

Step 4: SSL/TLS rotation in last reader instance

Follow steps described in step 2 to perform SSL/TLS rotation and perform validation.

Final Thoughts

I’d encourage you to test the steps listed here in a development or staging environment before taking them on your production environments.  Even if you are not using SSL/TLS at application layer, it is mandatory to rotate the certificate to newer version.

Aurora/RDS will lose connectivity beginning March 05, 2020 if you don’t complete your certificate rotation by this time. If you are looking for strategically rotating your SSL/TLS certificates and avoiding outages on your RDS or Aurora clusters, contact us. As an AWS Partner, we can help you meet this deadline for your bulk RDS instances and Aurora clusters in tactical fashion.