AWS: RDS Certificate Authority SSL certificate upgrade

By | 11/22/2019

We started receiving emails from AWS with notifications to update RDS Certificate Authority certificates.

It’s time to do it, so let’s start from our Dev, then will repeat on Staging and Production environments.

W eare using common AWS RDS MariaDB instances, and the upgrade documentation is available here>>>.

The process itself is really simple and will take just a couple of minutes (although – will see, how it will go with RDS Slaves enabled, which we have on Stage and Prod).

In our case, we are not using SSL for communication between our backend applications and RDS databases as they are in VPCs and we have VPC peering enabled between them so all traffic are passed via private networks. You can check the OpenVPN: OpenVPN Access Server set up and AWS VPC peering configuration post for example of such setup.

But anyway – need to update the CA.

Also, take a look at MySQL/MariaDB: настройка SSL post about MySQL SSL configuration (Rus only).

The one frustrating thing in the CA upgrade is the fact that:

This operation reboots your DB instance. By default, this operation is scheduled to run during your next maintenance window. Alternatively, you can choose to run it immediately.

While we have data continuously updated, thus we will have to stop our backend applications during this upgrade on Production.

RDS Certificate Authority upgrade

The documentation mentioned above describes three steps:

  1. Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance // not in our case, as the backend does not use SSL
  2. Update your database applications to use the new SSL/TLS certificate // not in our case, as the backend does not use SSL
  3. Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019 // here is hat will have to do

And the next process is very simple.

First, let’s do it via the AWS Console, and then will do a roll-back using AWS CLI.

Go to AWS RDS, chose an instance, check the certificate currently in use:

Click on the Modify:

Chose a new certificate:

One more warning:

Before scheduling the CA certificate rotation, update client applications that connect to your database to use the new CA certificate. Not doing this will cause an interruption of connectivity between your applications and your database. Get new CA certificates.

Okay, not our case, but be aware.

Press Continue, then Apply immediately and Modify DB Instance:

And one more notification about the following reboot:

Note that rotating the SSL certificate on a database instance will initiate a reboot operation so that the certificate takes effect. The reboot operation typically takes less than two minutes to complete.

After reboot – check the new certificate installed:

rds-ca-2019 – great.

Rollback with AWS CLI

And now let’s do a roll-back, just to test it in case if, for example, your backend stopped working after CA upgrade if you are using SSL for connections.

Let’s do it with AWS CLI now and in the same way, you can do CA upgrade.

The rollback process also very simple – all the same steps, just using the rds-ca-2015 certificate instead of the rds-ca-2019:


[setevoy@setevoy-arch-work ~]  $ aws --profile bm-backend --region us-east-2 rds modify-db-instance --db-instance-identifier mobilebackend-dev-db1-master-rds --ca-certificate-identifier rds-ca-2015 --apply-immediately


Pay attention to the --apply-immediately option used here – maybe you’ll need to apply changes and perform reboot in another time.

Wait for the reboot to be finished:

Check currently used certificate:


[setevoy@setevoy-arch-work ~]  $  aws --profile bm-backend --region us-east-2 rds describe-db-instances --db-instance-identifier mobilebackend-dev-db1-master-rds --query 'DBInstances[*].CACertificateIdentifier' --output text


rds-ca-2015 – done.