Updating MySQL Instances - Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019

4
votes

MySQL Databases

We use MySQL RDS databases. Our web applications use a connection string with the "CertificateFile=" option, which is currently set to the 2015 certificate file, and also "SSL Mode=Required;" option.

We changed the Test database using the instructions in the AWS console to use the 2019 certificate. We committed the change straight away (as this is just the Test database). We were expecting the connections from the Web Applications to fail at this point, but they still work with the older 2015 certificate file.

Additional Info

  • It looks like both 2015 and 2019 certificates work with a server on 2019 certificate, also,
  • It looks like both 2015 and 2019 certificates work with a server on 2015 certificate.

So my guess is that until March 2020 (when the 2015 certificate expires), the connections are backwards compatible, ie 2015 certificate works until it expires, irrelevant of the server certificate.

Is this a correct assumption?

2
mysqlamazon-web-servicessslssl-certificateamazon-rds

2 Answers

5
votes

In short Yes..

Certificates are backwards compatible if you want to say it like that.

In 2020 the 2015 certificate will not be functional anymore as it is expired (this is a security procedure for AWS, this has nothing to do with the application. The 2015 certificate should work with every application until the 5th of February.

I heavily recommend to swap to the new CA Certificate whenever you have time, this should not cause any problems and eventually you have to make the swap anyways, If you do decide to stick to the 2015 CA Certificate set yourself a reminder to swap before the 5th of February.

1
votes

Yes !!
Amazon RDS generates an SSL/TLS certificate for each DB Instance.
Currently version of the CA expires on March 5, 2020.
We are strongly recommended to make change before February 5, 2020. Which you already did.
So cheers !!! Nothing to worry about.