The one frustrating thing in the CA upgrade is the fact that:
This operation reboots your DB instance. By default, this operation is scheduled to run during your next maintenance window. Alternatively, you can choose to run it immediately.
While we have data continuously updated, thus we will have to stop our backend applications during this upgrade on Production.
RDS Certificate Authority upgrade
The documentation mentioned above describes three steps:
Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance // not in our case, as the backend does not use SSL
Update your database applications to use the new SSL/TLS certificate // not in our case, as the backend does not use SSL
Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019 // here is hat will have to do
And the next process is very simple.
First, let’s do it via the AWS Console, and then will do a roll-back using AWS CLI.
Go to AWS RDS, chose an instance, check the certificate currently in use:
Click on the Modify:
Chose a new certificate:
One more warning:
Before scheduling the CA certificate rotation, update client applications that connect to your database to use the new CA certificate. Not doing this will cause an interruption of connectivity between your applications and your database. Get new CA certificates.
Okay, not our case, but be aware.
Press Continue, then Apply immediately and Modify DB Instance:
And one more notification about the following reboot:
Note that rotating the SSL certificate on a database instance will initiate a reboot operation so that the certificate takes effect. The reboot operation typically takes less than two minutes to complete.
After reboot – check the new certificate installed:
rds-ca-2019 – great.
Rollback with AWS CLI
And now let’s do a roll-back, just to test it in case if, for example, your backend stopped working after CA upgrade if you are using SSL for connections.
Let’s do it with AWS CLI now and in the same way, you can do CA upgrade.
The rollback process also very simple – all the same steps, just using the rds-ca-2015 certificate instead of the rds-ca-2019: