Update your RDS SSL certificates

Have you recently logged into your AWS console and seen this message in RDS?

Screenshot of AWS console alert

The RDS team at AWS are replacing the root certificate that protects all encrypted connections to the RDS databases and clusters. The expiry date for the old root certificate is 5th March 2020 and therefore AWS ask you to apply these updates to your RDS instances before that date.

Do I need to care?

Yes. Your application needs to trust the connection to the database and that chain of trust expires on 5th March 2020. If your application is using SSL to communicate with the database and you take no action, there is a high risk of disruption and downtime to your application and database from Thursday 5th March.

How do I know if I’m using SSL?

You can check if your database is using an SSL connection to communicate with the database by running a simple SQL query. The procedure varies according to the database; here are the steps for MySQL 5.7 or above:

1. Log into your RDS MySQL database. If the application connecting to the RDS is running on an EC2 instance you can use the mysql client to connect to RDS:

mysql --host=<your-db-instance-name>.<your-region>.rds.amazonaws.com --port=3306 --user=<your-username> --password

Enter the password and you are greeted with the mysql prompt.

2. Check that the performance schema is enabled:

SHOW VARIABLES LIKE 'performance_schema';

If that’s the case you should see the following result:

+--------------------+-------+  
| Variable_name      | Value |  
+--------------------+-------+  
| performance_schema | ON    |  
+--------------------+-------+  
1 row in set (0.00 sec)

If the value is set to OFF the performance schema is not enabled and you need to enable it by setting the performance_schema parameter to 1 in RDS instance parameter group (see here for more info on parameter groups in RDS). Note that the performance schema is not enabled by default on RDS MySQL and changing the parameter group requires a reboot of the RDS instance.

3. Run this SQL query to show the current connections to the database:

SELECT id, user, host, connection_type   
       FROM performance_schema.threads pst   
       INNER JOIN information_schema.processlist isp   
       ON pst.processlist_id = isp.id;

Your output may be similar to this:

+----+-----------------+------------------+-----------------+  
| id | user            | host             | connection_type |  
+----+-----------------+------------------+-----------------+  
|  8 | admin           | 10.0.4.249:42590 | SSL/TLS         |  
|  4 | event_scheduler | localhost        | NULL            |  
| 10 | webapp1         | 159.28.1.1:42189 | **SSL/TLS**         |  
+----+-----------------+------------------+-----------------+  
3 rows in set (0.00 sec)

The connection type column shows if the connection to the database is done via SSL/TLS. If so, you must update the SSL certificates on the RDS before 5th March 2020. AWS’ recommended deadline is 28th February to make sure you have enough time to test that everything is working fine.

If you are using another database, check out the instructions for Maria DB, Microsoft SQL Server, Oracle, Postgres, Aurora MySQL, and Aurora Postgres.

If your database is not using SSL, I strongly recommend enabling it as exchanging data between an application and a database without SSL is a recipe for a security disaster. So you may want to update the SSL certificates anyway!

How do I update the RDS SSL certificate?

1. Download the latest SSL/TLS certificates from here or via the command line:

wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

2. Update the client-side trust store for your application in order to use the new certificate (the links for each database in the previous section show a few examples for Java applications). The new certificate bundle contains certificates for both the old and new Certificate Authority.

3. Use the file downloaded in step 1 to apply the change of the certificate authority via the RDS console or via the command line with one of these two commands.

To apply the change during the next database maintenance window:

aws rds modify-db-instance --db-instance-identifier <db_instance_identifier> --ca-certificate-identifier rds-ca-2019

To apply the change immediately:

aws rds modify-db-instance --db-instance-identifier <db_instance_identifier> --ca-certificate-identifier rds-ca-2019 --apply-immediately

Note that the RDS instance is rebooted when the change takes place.

I need help!

If you need some additional guidance or want to make sure you applied the right changes, The Scale Factory is here to help. Feel free to drop us a line and find out more how we can help you with AWS.

Reference

Amazon RDS customers: Update your SSL/TLS certificates by March 5, 2020