Update Amazon RDS SSL/TLS certificates in non ssl using client application

3
votes

Recently I got a message/notification from Amazon

Update your Amazon RDS SSL/TLS certificates before March 5, 2020

To avoid interruption of your applications using RDS and Aurora databases, update the Certificate Authority (CA) certificates for these databases before March 5, 2020. We strongly recommend making your updates before February 5, 2020, to leave time for deployments, testing, and validation. New databases created after January 14, 2020, will default to using the new CA certificates. Make sure that you update your client applications with the new certificates first. Find the new CA certificates and info: RDS Aurora.

We have few DB instances in RDS & we connect them via our client/php application without SSL. So, here is my question, do we still need to update amazon RDS SSL/TLS certificate ? If we do so, do we still need to update our client application to use SSL ?

2
amazon-web-servicessslamazon-rdsamazon-aurora

2 Answers

6
votes

we connect them via our client/php application without SSL

so, here is my question, do we still need to update amazon RDS SSL/TLS certificate ?

No you don't need to update the SSL/TLS certificate on your RDS instance, although Amazon will do it for you automatically eventually.

If we do so, do we still need to update our client application to use SSL ?

No. If you didn't have to install the previous SSL certificate in your client application, then why would you need to install the new version in your client application?

0
votes

Important details follow:

If your applications do not connect using SSL/TLS, you don't need to restart your database. In this case, between February 5 and March 5, 2020, RDS will stage new certificates on your database hosts without restarting your databases, to avoid interruption to your applications. As a result, the new certificates won't go into effect until your next database restart. If you aren't sure whether your applications connect using SSL/TLS, please review the documentation below to verify whether your applications connect using SSL/TLS:

For RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

For Amazon Aurora: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html